Re: Intermediate certificate disclosure deadline in 2 weeks

Thu, 23 Jun 2016 13:42:46 -0700 

Peter, I think I get what you're saying about this being a different
category of cross-sign, but could you spell out explicitly how this differs
from e.g. the Identrust cross-sign issue that Richard linked to?

-- Eric

On Thu, Jun 23, 2016 at 4:39 PM, Ben Wilson <ben.wil...@digicert.com> wrote:

> That's correct.
>
> -----Original Message-----
> From: Peter Bowen [mailto:pzbo...@gmail.com]
> Sent: Thursday, June 23, 2016 2:39 PM
> To: Ben Wilson <ben.wil...@digicert.com>
> Cc: Eric Mill <e...@konklone.com>; Kurt Roeckx <k...@roeckx.be>; Richard
> Barnes <rbar...@mozilla.com>; Jeremy Rowley <jeremy.row...@digicert.com>;
> Steve <steve.me...@gmail.com>;
> mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson <
> kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com>
> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
>
> On Thu, Jun 23, 2016 at 11:45 AM, Ben Wilson <ben.wil...@digicert.com>
> wrote:
> > Another issue that  needs to be resolved involves the Federal Bridge
> > CA 2013 (“Federal Bridge”).  When a publicly trusted sub CA
> > cross-certifies the Federal Bridge, then all of the CAs cross-certified
> by the Federal Bridge
> > are trusted.   The chart (https://crt.sh/mozilla-disclosures) then
> captures
> > all “non-publicly-trusted” sub CAs.  For instance, the following CAs
> > are now caught up in the database,  but there is no way to input them
> > (or CAs subordinate to them) into Salesforce because only the CA that
> > cross-certified the Federal Bridge has access to that  certificate
> > chain in Salesforce. In otherwords, I don’t have access to input the
> > DigiCert Federated ID CA-1 or its sub CAs.
>
> Ben,
>
> Correct me if I'm wrong, but the DigiCert CA you mention is part of a
> different PKI from the DigiCert public roots in Mozilla, right?  The only
> reason that it is showing in the list is because a non-DigiCert CA
> cross-signed the Federal PKI and the Federal PKI cross-signed the DigiCert
> CA in question, correct?
>
> Thanks,
> Peter
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to