I'm re-sending this with the subject tagged as a 'policy 2.6 proposal' in case anyone missed it the first time.
I am leaning toward option 2 as the best solution. The scope of section 8 could be updated to state the following: CAs SHOULD NOT assume that trust is transferable. All CAs whose certificates are included in Mozilla's root program MUST notify Mozilla if: * ownership or control of the CA’s included certificate(s) changes; or, * the CA creates an unconstrained intermediate certificate as defined in section 5.3.2 that is controlled by another organization; or, * ownership or control of the CA's unconstrained intermediate certificate(s) changes; or, * ownership or control of the CA’s operations changes; or, * there is a material change in the CA's operations. This would then explicitly require CAs who create or transfer an unconstrained intermediate certificate to a 3rd party to obtain approval and meet the other requirements outlined in section 8. I would appreciate everyone's comments on this proposed change. - Wayne On Tue, Apr 17, 2018 at 11:42 AM, Wayne Thayer <[email protected]> wrote: > This issue was brought up in the thread that kicked off the 2.6 root store > policy update [1]. Mozilla policy section 5.3.2 requires CAs to disclose > new unconstrained intermediate CA certificates within one week of creation. > Section 8 covers [in my opinion] transfers of roots but not intermediates. > This leaves a loophole for a CA to create a new intermediate CA > certificate, then transfer it without notice or approval. This problem also > applies to cross-signatures from one CA to another. > > I am aware of three potential solutions: > > 1. In section 5.3.2, require CAs to also disclose a change in the > ownership or control of an unconstrained intermediate CA certificate within > one week of the change. > > 2. Modify section 8 to explicitly include transfers of trust via > intermediate CA certificates and cross signatures. Under section 8.1, this > would require notice and approval: > > If the receiving or acquiring company is new to the Mozilla root program, >> there MUST be a public discussion regarding their admittance to the root >> program, which Mozilla must resolve with a positive conclusion before >> issuance is permitted. >> > 3. Require organizations that are receiving subordinate CA certificates to > go through the whole Mozilla inclusion process as if they were applying for > a new root. > > I would appreciate everyone's input on this topic. > > This is: https://github.com/mozilla/pkipolicy/issues/122 > > [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/ > xGGGaI1_uo0/POMANRWRAAAJ > ------- > > This is a proposed update to Mozilla's root store policy for version > 2.6. Please keep discussion in this group rather than on GitHub. Silence > is consent. > > Policy 2.5 (current version): > https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
