On Tue, Mar 13, 2018 at 7:19 AM, Kai Engert via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
> On 13.03.2018 14:59, Ryan Sleevi wrote:
>>     the blog post says, the subCAs controlled by Apple and Google are the
>>     ONLY exceptions.
>>     However, the Mozilla Firefox code also treats certain DigiCert subCAs as
>>     exceptions.
>>     Based on Ryan Sleevi's recent comments on this list, I had concluded
>>     that the excluded DigiCert subCAs are used to support companies other
>>     than Apple and Google. Is my understanding right or wrong?
>> I think your understanding is incorrect. The DigiCert SubCAs are being
>> treated as part of the Managed Partner Infrastructure (aka the consensus
>> plan), and the (cross-signed DigiCert Roots) are excluded to avoid path
>> building issues in Firefox.
> Your earlier explanations were very complex, and had increased my
> uncertainty about who is covered by the Managed Partner Infrastructure.
> In your earlier explanations, you had mentioned additional company names
> besides Apple and Google. This had given me the impression that the
> Managed Partner Infrastructure isn't limited to support the Apple and
> Google companies, but to also support other companies.
>> That is, the exclusion of those DigiCert Sub-CAs *is* the consensus plan
>> referred to - what else could it be?
>>     Are Apple and Google really the only beneficials of the exceptions, or
>>     should the blog post get updated to mention the additional exceptions?
>> Do you think the above clarifies?
> I hope we are close.
> I really wish we could bring it down to a simple yes or no question, and
> you being able to respond with a clear yes or no.
> Let me try again.
> Are the DigiCert transition CAs, which are part of the exclusion list,
> and which you say are used for "Managed Partner Infrastructure",
> strictly limited to support the needs of the Apple and Google companies?

I'll try answering and let Ryan correct me.

Managed Partner Infrastructure CAs are NOT strictly limited to support
the needs of Apple/Google.

As I understand it, there are five different sets of CAs when it comes
to applying trust rules:

1) CAs that are not cross-signed by any of the roots owned by Symantec
as of June 2017 ("Symantec roots").  This is the majority of CAs in
the world.

2) Online/Non-root CAs that are cross-signed by a Symantec root and
which had their own non-Symantec audit as of June 2017 and have
current audits - this is currently a set of CAs owned by Alphabet and
Apple companies

3) Root CAs that are cross-signed by a Symantec root and which had
their own non-Symantec audit as of June 2017 and have current audits -
this is currently a set of root CAs that are owned by DigiCert and
that existed prior to DigiCert acquiring the Symantec roots

4) CAs that are cross-signed by a Symantec root which were explicitly
created for compatibility with existing clients.  These are not
cross-signed by any roots that are not Symantec roots.  These were
created by DigiCert are not under their DigiCert branded CAs; they are
the "Managed Partner Infrastructure" CAs.

5) Any CAs not covered above (that is a CAs cross-signed by a Symantec
root but not in #2, #3, or #4).

CAs in group #2, #3, and #4 are able to continue issuing.  #4 have a
maximum validity period restriction that is less than the BR maximum.
#5 CAs are not trusted for certificates issued after
2017-12-01T00:00:00Z or before 2016-06-01T00:00:00Z.

Does this make it clear?
Ryan, did I get this wrong?

dev-security-policy mailing list

Reply via email to