On Tue, Apr 24, 2018 at 9:21 AM, Ryan Sleevi <r...@sleevi.com> wrote:
> > > On Mon, Apr 23, 2018 at 6:12 PM, Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> I'm re-sending this with the subject tagged as a 'policy 2.6 proposal' in >> case anyone missed it the first time. >> >> I am leaning toward option 2 as the best solution. The scope of section 8 >> could be updated to state the following: >> >> CAs SHOULD NOT assume that trust is transferable. All CAs whose >> certificates are included in Mozilla's root program MUST notify Mozilla >> if: >> >> * ownership or control of the CA’s included certificate(s) changes; or, >> * the CA creates an unconstrained intermediate certificate as defined in >> section 5.3.2 that is controlled by another organization; or, >> * ownership or control of the CA's unconstrained intermediate >> certificate(s) changes; or, >> * ownership or control of the CA’s operations changes; or, >> * there is a material change in the CA's operations. >> >> >> This would then explicitly require CAs who create or transfer an >> unconstrained intermediate certificate to a 3rd party to obtain approval >> and meet the other requirements outlined in section 8. >> >> I would appreciate everyone's comments on this proposed change. >> > > Apologies if I'm missing something, but I'm curious how this would cover > the case of: > > Org A - "TSP" operating a singular root certificate in the Mozilla program > Org B - "TSP" operating a single signed intermediate from Org A's Root > Certificate > Org C - "TSP" operating a single signed intermediate from Org B's > "Intermediate Certificate" > Org D - A new TSP > > My understanding is that the proposed language would address the situation > if Org B transferred control to org D, but I'm struggling to see where/how > it would require Org C to be subject to that if they transferred to Org D. > > Good point. How about combining the two bullets from my earlier proposal as follows: CAs SHOULD NOT assume that trust is transferable. All CAs whose certificates are included in Mozilla's root program MUST notify Mozilla if: * an organization other than the CA obtains control of an unconstrained intermediate certificate (as defined in section 5.3.2) that directly or transitively chains to the CA's included certificate(s); or, The ambiguity that I struggle with comes from "control of the CA's" (in the > third bullet) that seems subject to "All CAs whose certificates are > included in Mozilla's root program" in the intro. It would seem it would > only bind the Org A relationship, not Org B's. > > In this regard, 5.3.2 is slightly less ambiguous, as it governs "All > certificates that are capable of being used to issue new certificates, and > which directly or transitively chain to a certificate included in Mozilla’s > CA Certificate Program," > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy