On 19/05/16 21:48, Kathleen Wilson wrote:
On Monday, May 16, 2016 at 1:33:40 PM UTC-7, Rob Stradling wrote:
However, ISTM that a "proposed change currently in discussion" is less
authoritative than the CA Communication (which, as I've said, seems to
explicitly require multiple disclosures of the same intermediate when
multiple trust paths exist).
Assuming everyone's happy with my suggested resolution, please would you
update the requirements for "ACTION #2" before the end of June (the
earlier the better!) so that multiple disclosures are not required?
It's too late to update the CA Communication itself, so I will provide the
update here.
Proposed by Rob:
1. Require https://crt.sh/?id=1790 to be disclosed precisely once, by
Web.com, because the chain up to Web.com's Built-in Root is the shortest
chain.
2. Hold both Web.com and Comodo equally to blame if
https://crt.sh/?id=1790 is not disclosed. (The gives Comodo the
incentive to ensure that Web.com do disclose it).
I agree with this proposal, but will try to clarify a bit more...
For root certificate A that is cross-signed by another included root
certificate B (that has the Websites trust bit enabled), the intermediate
certificates chaining up to A only need to be disclosed once.
The cross-certificates for root certificate A must be entered into Salesforce,
chaining to root certificate B.
If root certificate A is included and has the Websites trust bit enabled, then
its intermediate certificates should be entered into Salesforce such that they
chain directly to root certificate A.
If root certificate A has been removed from NSS or does not have the Websites
trust bit enabled, then its intermediate certificates must be entered into
Salesforce such that they chain to root certificate B.
Great. That's completely clear. Thanks Kathleen.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
