For the benefit of the list, I'm the author of that text and that quote is
from this page, which is maintained by the General Services Administration
(though again, not by the Federal PKI team):

The intended audience is federal agencies, and the intended takeaway is
that certificates from the Federal Common Policy CA should not be used for
TLS/HTTPS services where the expected client base is "the general public",
since the Federal PKI is not a member of the Mozilla root program.

Certificates from the Federal PKI can obviously be used where the client
base can be expected to trust its root CA, and there are many such uses of
the Federal PKI.

-- Eric

On Sun, Apr 16, 2017 at 8:50 PM, Peter Bachman via dev-security-policy <> wrote:

> Since we use ACES certificates for sending healthcare information in a way
> that mimimizes MITM, I was surprised to read the following.
> "The Federal PKI has cross-certified other agencies and commercial CAs,
> which means their certificates will be trusted by clients that trust the
> Federal PKI. However, none of these roots are publicly trusted. Even when a
> publicly trusted commercial CA is cross-certified with the Federal PKI,
> they maintain complete separation between their publicly trusted
> certificates and their Federal PKI cross-certified certificates.
> As a result, there is not currently a viable way to obtain an individual
> certificate for use in TLS/HTTPS that is issued or trusted by the Federal
> PKI, and also trusted by the general public."
> Source CIO Council
> The new ACES CP dated Jan 17 2017 does not assure public use of the ACES
> root.
> _______________________________________________
> dev-security-policy mailing list

Eric Mill
Senior Advisor, Technology Transformation Service, GSA, +1-617-314-0966 <(617)%20314-0966>
dev-security-policy mailing list

Reply via email to