RE: Intermediate certificate disclosure deadline in 2 weeks

[Jeremy Rowley]

Fed Root (not trusted) signs DigiCert Fed CA (not trusted)

A third CA (trusted) signs Fed Root (now trusted)

DigiCert Fed CA all of a sudden trusted but not through DigiCert. This CA now 
shows up on the list although it wasn’t DigiCert who signed it.

 

From: Eric Mill [mailto:e...@konklone.com] 
Sent: Thursday, June 23, 2016 2:41 PM
To: Ben Wilson <ben.wil...@digicert.com>
Cc: Peter Bowen <pzbo...@gmail.com>; Kurt Roeckx <k...@roeckx.be>; Richard 
Barnes <rbar...@mozilla.com>; Jeremy Rowley <jeremy.row...@digicert.com>; Steve 
<steve.me...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org; 
Kathleen Wilson <kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com>
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks

 

Peter, I think I get what you're saying about this being a different category 
of cross-sign, but could you spell out explicitly how this differs from e.g. 
the Identrust cross-sign issue that Richard linked to?

 

-- Eric

 

On Thu, Jun 23, 2016 at 4:39 PM, Ben Wilson <ben.wil...@digicert.com 
<mailto:ben.wil...@digicert.com> > wrote:

That's correct.

-----Original Message-----
From: Peter Bowen [mailto:pzbo...@gmail.com <mailto:pzbo...@gmail.com> ]
Sent: Thursday, June 23, 2016 2:39 PM
To: Ben Wilson <ben.wil...@digicert.com <mailto:ben.wil...@digicert.com> >
Cc: Eric Mill <e...@konklone.com <mailto:e...@konklone.com> >; Kurt Roeckx 
<k...@roeckx.be <mailto:k...@roeckx.be> >; Richard Barnes <rbar...@mozilla.com 
<mailto:rbar...@mozilla.com> >; Jeremy Rowley <jeremy.row...@digicert.com 
<mailto:jeremy.row...@digicert.com> >; Steve <steve.me...@gmail.com 
<mailto:steve.me...@gmail.com> >; mozilla-dev-security-pol...@lists.mozilla.org 
<mailto:mozilla-dev-security-pol...@lists.mozilla.org> ; Kathleen Wilson 
<kwil...@mozilla.com <mailto:kwil...@mozilla.com> >; Rob Stradling 
<rob.stradl...@comodo.com <mailto:rob.stradl...@comodo.com> >
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks

On Thu, Jun 23, 2016 at 11:45 AM, Ben Wilson <ben.wil...@digicert.com 
<mailto:ben.wil...@digicert.com> > wrote:
> Another issue that  needs to be resolved involves the Federal Bridge
> CA 2013 (“Federal Bridge”).  When a publicly trusted sub CA
> cross-certifies the Federal Bridge, then all of the CAs cross-certified by 
> the Federal Bridge
> are trusted.   The chart (https://crt.sh/mozilla-disclosures) then captures
> all “non-publicly-trusted” sub CAs.  For instance, the following CAs
> are now caught up in the database,  but there is no way to input them
> (or CAs subordinate to them) into Salesforce because only the CA that
> cross-certified the Federal Bridge has access to that  certificate
> chain in Salesforce. In otherwords, I don’t have access to input the
> DigiCert Federated ID CA-1 or its sub CAs.

Ben,

Correct me if I'm wrong, but the DigiCert CA you mention is part of a different 
PKI from the DigiCert public roots in Mozilla, right?  The only reason that it 
is showing in the list is because a non-DigiCert CA cross-signed the Federal 
PKI and the Federal PKI cross-signed the DigiCert CA in question, correct?

Thanks,
Peter





 

-- 

konklone.com <https://konklone.com>  | @konklone <https://twitter.com/konklone> 

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy