On Mon, Apr 23, 2018 at 6:12 PM, Wayne Thayer via dev-security-policy < [email protected]> wrote:
> I'm re-sending this with the subject tagged as a 'policy 2.6 proposal' in > case anyone missed it the first time. > > I am leaning toward option 2 as the best solution. The scope of section 8 > could be updated to state the following: > > CAs SHOULD NOT assume that trust is transferable. All CAs whose > certificates are included in Mozilla's root program MUST notify Mozilla if: > > * ownership or control of the CA’s included certificate(s) changes; or, > * the CA creates an unconstrained intermediate certificate as defined in > section 5.3.2 that is controlled by another organization; or, > * ownership or control of the CA's unconstrained intermediate > certificate(s) changes; or, > * ownership or control of the CA’s operations changes; or, > * there is a material change in the CA's operations. > > > This would then explicitly require CAs who create or transfer an > unconstrained intermediate certificate to a 3rd party to obtain approval > and meet the other requirements outlined in section 8. > > I would appreciate everyone's comments on this proposed change. > Apologies if I'm missing something, but I'm curious how this would cover the case of: Org A - "TSP" operating a singular root certificate in the Mozilla program Org B - "TSP" operating a single signed intermediate from Org A's Root Certificate Org C - "TSP" operating a single signed intermediate from Org B's "Intermediate Certificate" Org D - A new TSP My understanding is that the proposed language would address the situation if Org B transferred control to org D, but I'm struggling to see where/how it would require Org C to be subject to that if they transferred to Org D. The ambiguity that I struggle with comes from "control of the CA's" (in the third bullet) that seems subject to "All CAs whose certificates are included in Mozilla's root program" in the intro. It would seem it would only bind the Org A relationship, not Org B's. In this regard, 5.3.2 is slightly less ambiguous, as it governs "All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla’s CA Certificate Program," _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
