I think there is confusion over the generic term “Symantec”. There is no issue for Symantec (the company) to be an affiliate of the USG FPKI and to operate CAs mutually cross-certified with the USG FPKI. Additionally there is no issue with Symantec (or anyone else) to operate CAs included in the Mozilla trust anchor list.
Where there is a problem, as Richard pointed out, is when a CA in the Mozilla trust anchor list issues a cross-certificate to a CA mutually cross-certified by the USG FPKI. The Mozilla policy is that every CA that is the subject of a cross issued by a CA in the Mozilla trust anchor list must comply with Mozilla policy. This is recursively true as well — “grandchild”, “great-grandchild”, etc CAs must comply with Mozilla policy. Instead of revoking the Symantec SSP to Federal Bridge certificate, Symantec could instead revoke these two certificates to separate the USG FPKI from their Mozilla trusted CAs: https://crt.sh/?id=2733031 https://crt.sh/?id=12722020 This is probably a better option and would avoid the issues you raised before. Thanks, Peter > On Jun 29, 2016, at 10:18 PM, Myers, Kenneth (10421) > <[email protected]> wrote: > > Thanks Eric. > > > 1) Mutual trust is dependent on an exchange of certificates as outlined > in the MOA and not the receipt. If one is removed, both must be removed per > the MOA. It is currently being discussed to allow only a certificate receipt > because mutual trust is a fundamental principle of the Federal Bridge. > Revoking the certificate breaches the agreement. The IdenTrust CA is operated > under a different program which coincidentally removed the certificate > exchange requirement around the same time it was brought up in the forum and > in the FPKI SSL testing. > > 2) The federal bridge is an identity hub and not an anchor. Trust is > established through the cert chain to Federal Common Policy and not through a > trust bundle or a trust store. Its purpose is to connect organizational PKIs > so an affiliate or federal agency can continue to use their root CA as a > trust anchor without the need to install other roots. By entering into an > agreement with the Federal Bridge, all affiliates (Symantec included) > recognize they trust certificates issued by other affiliates of the Federal > Bridge based on the policy mapping in certificate exchange. All certificates > are issued against the same criteria as outlined in the Federal Bridge CP and > mapped to affiliate CPs. > > Ken _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
