On Sunday, December 4, 2016 at 11:56:13 PM UTC+8, Peter Bowen wrote: > On Sun, Dec 4, 2016 at 7:26 AM, Wen-Cheng Wang wrote: > > Gervase Markham於 2016年12月4日星期日 UTC+8下午6時27分55秒寫道: > >> On 03/12/16 17:42, Peter Bowen wrote: > >> > As to the inclusion request, I think Mozilla should reject this > >> > request and add a clear rule to the Mozilla CA policy that each CA > >> > must have a unique DN. The DN should be a primary key for the trust > >> > store and no two entries should have the same DN. > >> > >> Just to help me be clear: the request is for the inclusion of a root > >> with the same DN as a previous root, which will still be included after > >> the addition? Or the problem with duplicate DNs occurs further down the > >> hierarchy? > > > > Our request is for the inclusion of a root with the same DN as a previous > > root. > > > > In our Government PKI, we have a national LDAP tree and all the entities > > (including the root CA, subordinate CAs, and end entities) have their own > > unique DNs in the directory tree. Since our Government Root CA (GRCA) is a > > permanent node in our national LDAP tree, it has certainly been assigned an > > unique DN. If we change the DN of our Government Root CA (GRCA) each time > > it re-key, that will generate multiple nodes of our Government Root CA with > > different DNs in our national LDAP tree and that will be quite confusing. > > Based on the publicly available data, it looks like you have multiple > sets of CAs with the same DN in your tree. For example MOEACA: > https://crt.sh/?caid=13914 and https://crt.sh/?caid=13162 have the > same DN and have different keys. > > I think the larger issue is that you don't have BR audits for the > subordinate CAs.
You are right, there are several subordinate CAs under our Government Root CA. Our Government Root CA and all its subordinate have WebTrust for CA audits. However, among those subordinate CAs, only GCA will issue SSL certificates. Therefore, only Government Root CA and GCA have SSL BR audits. Since currently all other subordinate CAs so not issue SSL certificates, it is certainly not possible for them to have SSL BR audits. PS: There is another subordinate CA named HCA that used to issue SSL certificates too, but HCA had stopped issuing SSL certificates. Therefore, currently GCA is the only subordinate CA that will issue SSL certificates. Wen-Cheng Wang _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
