On Wed, Oct 5, 2016 at 6:55 PM, Man Ho (Certizen) <ma...@certizen.com> wrote: > It is an interesting aspect that the Mozilla community has not discussed > thoroughly, or at all. > > Cross-signing a third party intermediate cert is equivalent to sharing > of trust, that any CA should only consider it with extreme care. Is it > possibly know how many intermediate cert that is cross-signed by Comodo? > Is there any Comodo's practice statement of cross-signing ? Comodo seems > to be quite keen on this kind of business even after the lesson learn > from its last incident in 2011 > (https://blog.mozilla.org/security/2011/03/25/comodo-certificate-issue-follow-up/).
I think the community has discussed cross-signing both in this discussion and in the broader discussion of the trust graph. https://wiki.mozilla.org/CA:WoSign_Issues#Cross_Signing lists all the known cross-signs of WoSign. https://wiki.mozilla.org/CA:SubordinateCAcerts provides info on all subordinate (including cross-signed) CAs for each root in the Mozilla program. Rob Stradling of Comodo combined this with certificate transparency information to generate https://crt.sh/mozilla-disclosures. As for Comodo, they have published https://secure.comodo.com/products/publiclyDisclosedSubCACerts for a while now. It shows which subordinates are operated by Comodo and which are independently operated. The next step for Mozilla is to determine how to handle the 285 CA certificates not disclosed in the Mozilla SF system and the 80 that are under disclosed. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
