On 28/03/2017 12:21, Rob Stradling wrote:
On 28/03/17 11:02, Gervase Markham via dev-security-policy wrote:
On 27/03/17 23:12, Andrew Ayer wrote:
My interpretation of the policy is that a CA could delay disclosure for
quite some time if the sub-CA is not used to issue certificates right
away. If the sub-CA is created as a backup that is never used, the
disclosure would never need to happen.
I think this is bad.
Your case is missing the part where you explain why you think this is
bad :-) What risks are associated with undisclosed dormant sub-CA certs?
Increased attack surface. An undisclosed dormant sub-CA most likely has
its private key in an online HSM, and so I think it's prudent to assume
that it's more vulnerable (to being compromised by an attacker, or to
being accidentally used to misissue a cert) than an offline root key.
IINM, the purpose (so far) of Mozilla's intermediate cert disclosure
policy is to map the attack surface. Right?
Actually, I think it is about ensuring that there are no non-compliant
issuers of Mozilla-trusted certificates, that might be issuing
improperly validated certificates.
Any unknown SubCA would be trusted by recursion, but would not have
given Mozilla sufficient assurance it is using this ability in a policy
compliant manner.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
