A couple of weeks ago, Google announced Google Trust Services (https://security.googleblog.com/2017/01/the-foundation-of-more-secure-web.html) and also announced that they have acquired two roots that are in Mozilla trust store.
As discussed in this group previously, Mozilla does not have a very clear policy on root transfer, but does have a clear policy on audit requirements and disclosure. Based on the material published in the blog and at the Google Trust Services website (https://pki.goog), I'm not clear that the transfer and operation meets Mozilla's requirements. First, according to the GTS website, there is no audit using the WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL. However the two roots in the Mozilla CA program currently are EV enabled and at least one subordinate CA under them is issuing EV certificates. Second, according to the GTS CPS v1.3, "Between 11 August 2016 and 8 December 2016, Google Inc. operated these Roots according to Google Inc.’s Certification Practice Statement." The basic WebTrust for CA and WebTrust BR audit reports for the period ending September 30, 2016 explicitly state they are for "subordinate CA under external Root CA" and do not list the roots in the GTS CPS at all. Third, the Google CPS says Google took control of these roots on August 11, 2016. The Mozilla CA policy explicitly says that a bug report must be filed to request to be included in the Mozilla CA program. It was not until December 22, 2016 that Google requested inclusion as a CA in Mozilla's CA program (https://bugzilla.mozilla.org/show_bug.cgi?id=1325532). This does not appear to align with Mozilla requirements for public disclosure. Fourth, the audit reports linked in the bug explicitly set the scope of "subordinate CA operated under external Root CA" and do not include any indication of controls around the issuance of subordinate CA certificates. These audit reports do not have an appropriate scope for a root CA. I realize the discussion period for Google's inclusion request is likely many months off, I believe that it is important to address these issues soon, as they impact roots currently in the Mozilla CA program. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy