Hi Eric,

Perhaps you are being intentionally non-directive, in which case perhaps
you can't answer my questions, but:

On 11/04/17 04:45, Eric Mill wrote:
> That root certificate's name ("VeriSign Class 3 SSP Intermediate CA - G2")
> was never mentioned in Bugzilla, and was not discussed during the inclusion
> of its parent CA ("VeriSign Universal Root Certification Authority"):
> https://bugzilla.mozilla.org/show_bug.cgi?id=484901

And you think that the fact that the root had cross-certified the FPKI
was a relevant fact which should have been brought to Mozilla's attention?

> While Symantec's CPS in 2016 mentions the Federal Bridge, the CPS that
> VeriSign had at the time they submitted that parent CA to Mozilla's program
> in 2009 does not mention the Federal PKI in any way:
> https://web.archive.org/web/20090612085619/http://www.verisign.com/repository/CPSv3.8.1_final.pdf

And you think it should have done?

> I am not familiar with what Mozilla's policies were in 2009, and I know
> there was a great deal of effort to draw attention to undisclosed
> intermediates in 2016 -- that effort is what drew attention to these
> cross-signatures.

In 2009, we did not have any policies relating to disclosure of
intermediates. The relevant policy at the time was 1.2:
As you can see, requirements were relatively limited.

(See https://wiki.mozilla.org/CA:CertPolicy for the full history of our

> But I think it's important to note that this relationship was not widely
> understood or publicly discussed as part of the Mozilla trusted root
> program, between 2009 and 2016.

And you think that's bad?

There were several discussions about including the FPKI roots during
this time, and about the problems that might cause. I might expect
someone reading those, who knew that we already trusted bits (or all?)
of the FPKI due to their actions, to say something...

dev-security-policy mailing list

Reply via email to