On Tue, Mar 13, 2018 at 10:52 AM, Peter Bowen <pzbo...@gmail.com> wrote:
> On Tue, Mar 13, 2018 at 7:19 AM, Kai Engert via dev-security-policy
> <email@example.com> wrote:
> > On 13.03.2018 14:59, Ryan Sleevi wrote:
> >> the blog post says, the subCAs controlled by Apple and Google are
> >> ONLY exceptions.
> >> However, the Mozilla Firefox code also treats certain DigiCert
> subCAs as
> >> exceptions.
> >> Based on Ryan Sleevi's recent comments on this list, I had concluded
> >> that the excluded DigiCert subCAs are used to support companies
> >> than Apple and Google. Is my understanding right or wrong?
> >> I think your understanding is incorrect. The DigiCert SubCAs are being
> >> treated as part of the Managed Partner Infrastructure (aka the consensus
> >> plan), and the (cross-signed DigiCert Roots) are excluded to avoid path
> >> building issues in Firefox.
> > Your earlier explanations were very complex, and had increased my
> > uncertainty about who is covered by the Managed Partner Infrastructure.
> > In your earlier explanations, you had mentioned additional company names
> > besides Apple and Google. This had given me the impression that the
> > Managed Partner Infrastructure isn't limited to support the Apple and
> > Google companies, but to also support other companies.
> >> That is, the exclusion of those DigiCert Sub-CAs *is* the consensus plan
> >> referred to - what else could it be?
> >> Are Apple and Google really the only beneficials of the exceptions,
> >> should the blog post get updated to mention the additional
> >> Do you think the above clarifies?
> > I hope we are close.
> > I really wish we could bring it down to a simple yes or no question, and
> > you being able to respond with a clear yes or no.
> > Let me try again.
> > Are the DigiCert transition CAs, which are part of the exclusion list,
> > and which you say are used for "Managed Partner Infrastructure",
> > strictly limited to support the needs of the Apple and Google companies?
> I'll try answering and let Ryan correct me.
> Managed Partner Infrastructure CAs are NOT strictly limited to support
> the needs of Apple/Google.
> As I understand it, there are five different sets of CAs when it comes
> to applying trust rules:
> 1) CAs that are not cross-signed by any of the roots owned by Symantec
> as of June 2017 ("Symantec roots"). This is the majority of CAs in
> the world.
> 2) Online/Non-root CAs that are cross-signed by a Symantec root and
> which had their own non-Symantec audit as of June 2017 and have
> current audits - this is currently a set of CAs owned by Alphabet and
> Apple companies
> 3) Root CAs that are cross-signed by a Symantec root and which had
> their own non-Symantec audit as of June 2017 and have current audits -
> this is currently a set of root CAs that are owned by DigiCert and
> that existed prior to DigiCert acquiring the Symantec roots
> 4) CAs that are cross-signed by a Symantec root which were explicitly
> created for compatibility with existing clients. These are not
> cross-signed by any roots that are not Symantec roots. These were
> created by DigiCert are not under their DigiCert branded CAs; they are
> the "Managed Partner Infrastructure" CAs.
> 5) Any CAs not covered above (that is a CAs cross-signed by a Symantec
> root but not in #2, #3, or #4).
> CAs in group #2, #3, and #4 are able to continue issuing. #4 have a
> maximum validity period restriction that is less than the BR maximum.
> #5 CAs are not trusted for certificates issued after
> 2017-12-01T00:00:00Z or before 2016-06-01T00:00:00Z.
> Does this make it clear?
> Ryan, did I get this wrong?
#4 is only limited in validity if Symantec was involved/validation
information was reused. As stated by DigiCert, there's been zero
involvement in the validation and zero-reuse of validated information,
hence, issuance times are permitted to the maximum BR allowed.
dev-security-policy mailing list