> On Jun 8, 2017, at 20:43, Ben Wilson via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > I don't believe that disclosure of root certificates is the responsibility > of a CA that has cross-certified a key. For instance, the CCADB interface > talks in terms of "Intermediate CAs". Root CAs are the responsibility of > browsers to upload. I don't even have access to upload a "root" > certificate.
I think the Mozilla Root Store policy is pretty clear on this point: > All certificates that are capable of being used to issue new certificates, > and which directly or transitively chain to a certificate included in > Mozilla’s CA Certificate Program, MUST be operated in accordance with this > policy and MUST either be technically constrained or be publicly disclosed > and audited. The self-signed certificates in the present set are all in scope for the disclosure policy because they are capable of being used to issue new certificates and chain to a certificate included in Mozilla’s CA Certificate Program. From the perspective of the Mozilla root store they look like intermediates because they can be used as intermediates in a valid path to a root certificate trusted by Mozilla. Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy