On Thursday, June 8, 2017 at 7:44:08 PM UTC-5, Ben Wilson wrote:
> I don't believe that disclosure of root certificates is the responsibility
> of a CA that has cross-certified a key.  For instance, the CCADB interface
> talks in terms of "Intermediate CAs".  Root CAs are the responsibility of
> browsers to upload.  I don't even have access to upload a "root"
> certificate.  

At least in terms of intention of disclosing the intermediates, I don't think 
you've made a fair assessment of the situation.

The responsibility to disclose must fall upon the signer.  Not the one who was 
signed.

Cross-signature certificates are, effectively, intermediates granting an 
alternate / enhanced validation path to trust to a distinct, separate hierarchy.

While IdenTrust signs Let's Encrypt's intermediates rather than a cross-sign of 
their root, the principle is ultimately the same.  The browser programs clearly 
wish to have those who are positioned to grant trust accountable for any such 
trust that they grant.

It's one question if the other root is already in the trust store, but imagine 
it's some large enterprise root that's been running, perhaps under appropriate 
audits but maybe not, cross-signed by a widely trusted program participant.

Perhaps the text needs clarifying, but I find it hard to believe that any of 
the browser programs is of the opinion that you can cross-sign someone else's 
root cert and not disclose that.

Matt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to