Hi Eric,
Perhaps you are being intentionally non-directive, in which case perhaps
you can't answer my questions, but:
On 11/04/17 04:45, Eric Mill wrote:
> That root certificate's name ("VeriSign Class 3 SSP Intermediate CA - G2")
> was never mentioned in Bugzilla, and was not discussed during the inclusion
> of its parent CA ("VeriSign Universal Root Certification Authority"):
> https://bugzilla.mozilla.org/show_bug.cgi?id=484901
And you think that the fact that the root had cross-certified the FPKI
was a relevant fact which should have been brought to Mozilla's attention?
> While Symantec's CPS in 2016 mentions the Federal Bridge, the CPS that
> VeriSign had at the time they submitted that parent CA to Mozilla's program
> in 2009 does not mention the Federal PKI in any way:
>
> https://web.archive.org/web/20090612085619/http://www.verisign.com/repository/CPSv3.8.1_final.pdf
And you think it should have done?
> I am not familiar with what Mozilla's policies were in 2009, and I know
> there was a great deal of effort to draw attention to undisclosed
> intermediates in 2016 -- that effort is what drew attention to these
> cross-signatures.
In 2009, we did not have any policies relating to disclosure of
intermediates. The relevant policy at the time was 1.2:
https://wiki.mozilla.org/CA:CertificatePolicyV1.2
As you can see, requirements were relatively limited.
(See https://wiki.mozilla.org/CA:CertPolicy for the full history of our
policy.)
> But I think it's important to note that this relationship was not widely
> understood or publicly discussed as part of the Mozilla trusted root
> program, between 2009 and 2016.
And you think that's bad?
There were several discussions about including the FPKI roots during
this time, and about the problems that might cause. I might expect
someone reading those, who knew that we already trusted bits (or all?)
of the FPKI due to their actions, to say something...
Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
