For the benefit of the list, I'm the author of that text and that quote is from this page, which is maintained by the General Services Administration (though again, not by the Federal PKI team):
https://https.cio.gov/certificates/#does-the-us- government-operate-a-publicly-trusted-certificate-authority%3f The intended audience is federal agencies, and the intended takeaway is that certificates from the Federal Common Policy CA should not be used for TLS/HTTPS services where the expected client base is "the general public", since the Federal PKI is not a member of the Mozilla root program. Certificates from the Federal PKI can obviously be used where the client base can be expected to trust its root CA, and there are many such uses of the Federal PKI. -- Eric On Sun, Apr 16, 2017 at 8:50 PM, Peter Bachman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Since we use ACES certificates for sending healthcare information in a way > that mimimizes MITM, I was surprised to read the following. > > > "The Federal PKI has cross-certified other agencies and commercial CAs, > which means their certificates will be trusted by clients that trust the > Federal PKI. However, none of these roots are publicly trusted. Even when a > publicly trusted commercial CA is cross-certified with the Federal PKI, > they maintain complete separation between their publicly trusted > certificates and their Federal PKI cross-certified certificates. > > As a result, there is not currently a viable way to obtain an individual > certificate for use in TLS/HTTPS that is issued or trusted by the Federal > PKI, and also trusted by the general public." > > Source CIO Council > > > > The new ACES CP dated Jan 17 2017 does not assure public use of the ACES > root. > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- Eric Mill Senior Advisor, Technology Transformation Service, GSA eric.m...@gsa.gov, +1-617-314-0966 <(617)%20314-0966> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
