Hi Eric, Perhaps you are being intentionally non-directive, in which case perhaps you can't answer my questions, but:
On 11/04/17 04:45, Eric Mill wrote: > That root certificate's name ("VeriSign Class 3 SSP Intermediate CA - G2") > was never mentioned in Bugzilla, and was not discussed during the inclusion > of its parent CA ("VeriSign Universal Root Certification Authority"): > https://bugzilla.mozilla.org/show_bug.cgi?id=484901 And you think that the fact that the root had cross-certified the FPKI was a relevant fact which should have been brought to Mozilla's attention? > While Symantec's CPS in 2016 mentions the Federal Bridge, the CPS that > VeriSign had at the time they submitted that parent CA to Mozilla's program > in 2009 does not mention the Federal PKI in any way: > > https://web.archive.org/web/20090612085619/http://www.verisign.com/repository/CPSv3.8.1_final.pdf And you think it should have done? > I am not familiar with what Mozilla's policies were in 2009, and I know > there was a great deal of effort to draw attention to undisclosed > intermediates in 2016 -- that effort is what drew attention to these > cross-signatures. In 2009, we did not have any policies relating to disclosure of intermediates. The relevant policy at the time was 1.2: https://wiki.mozilla.org/CA:CertificatePolicyV1.2 As you can see, requirements were relatively limited. (See https://wiki.mozilla.org/CA:CertPolicy for the full history of our policy.) > But I think it's important to note that this relationship was not widely > understood or publicly discussed as part of the Mozilla trusted root > program, between 2009 and 2016. And you think that's bad? There were several discussions about including the FPKI roots during this time, and about the problems that might cause. I might expect someone reading those, who knew that we already trusted bits (or all?) of the FPKI due to their actions, to say something... Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy