On Thursday, June 8, 2017 at 7:44:08 PM UTC-5, Ben Wilson wrote: > I don't believe that disclosure of root certificates is the responsibility > of a CA that has cross-certified a key. For instance, the CCADB interface > talks in terms of "Intermediate CAs". Root CAs are the responsibility of > browsers to upload. I don't even have access to upload a "root" > certificate.
At least in terms of intention of disclosing the intermediates, I don't think you've made a fair assessment of the situation. The responsibility to disclose must fall upon the signer. Not the one who was signed. Cross-signature certificates are, effectively, intermediates granting an alternate / enhanced validation path to trust to a distinct, separate hierarchy. While IdenTrust signs Let's Encrypt's intermediates rather than a cross-sign of their root, the principle is ultimately the same. The browser programs clearly wish to have those who are positioned to grant trust accountable for any such trust that they grant. It's one question if the other root is already in the trust store, but imagine it's some large enterprise root that's been running, perhaps under appropriate audits but maybe not, cross-signed by a widely trusted program participant. Perhaps the text needs clarifying, but I find it hard to believe that any of the browser programs is of the opinion that you can cross-sign someone else's root cert and not disclose that. Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy