On Mon, Mar 27, 2017 at 3:09 PM, Kai Engert via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Are there existing rules, in the CABForum BRs, or in the Mozilla CA > policy, that > define under which circumstances the private key of an actively used EV > approved > root CA may be transferred to a different company, that hasn't been > audited for > EV compliance? > A root CA is not simply approved for EV. A root CA has one or more policies that indicate compliance with EV, and those policies are recognized for the associated root certificates. To your question, no, there are no policies _specific to EV_ related to that. The general Mozilla Policy handling all root key transfer and cross-certifications applies. > As soon as the private key has been given to another company, the receiving > company technically has the ability to issue EV certificates (even if they > never > intend to do so), right? > Correct, but as per the above, the actual _use_ of that is governed by the CP/CPS and associated audits, no different than any other CA. > I would have naively assumed that a company, that owns an EV approved > CA, is > expected to strictly protect their EV issuing power, and must never share > it > with another company that hasn't been approved for issuing EV certificates. > That's not stated in any special case for EV. In fact, even without the transfer of root key material, it's possible for an EV-enabled root to cross-certify another CA for EV issuance, by authorizing them for the relative certificate policies. It is incumbent upon the issuing CA to ensure that subordinated CA's policies and practices are wholly aligned with the parent CA's CP/CPS. > If this makes sense, and if there aren't any rules yet, I suggest to add > them to > the appropriate policy documents. > Given the bug you were asking questions on "this morning", https://bugzilla.mozilla.org/show_bug.cgi?id=1349727 , it sounds like this is related to the discussion on https://groups.google.com/d/msg/mozilla.dev.security.policy/1PDQv0GUW_s/oxDWH07VDgAJ , which has significantly more details on this, including statements from various Mozilla peers and module owners. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
