Issue #186 in Github <https://github.com/mozilla/pkipolicy/issues/186> deals with the disclosure of CA certificates that directly or transitively chain up to an already-trusted, Mozilla-included root. A common scenario for the situation discussed in Issue #186 is when a CA creates a second (or third or fourth) root certificate with the same key pair as the root that is already in the Mozilla Root Store. This problem exists at the intermediate-CA-certificate level, too, where a self-signed intermediate/subordinate CA certificate is created and not reported.
Public disclosure of such certificates is already required by section 5.3 of the MRSP, which reads, "All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla’s CA Certificate Program, MUST be operated in accordance with this policy and MUST either be technically constrained or be publicly disclosed and audited." There have been several instances where a CA operator has not disclosed a CA certificate under the erroneous belief that because it is self-signed it cannot be trusted in a certificate chain beneath the already-trusted, Mozilla-included CA. This erroneous assumption is further discussed in Issue #186 <https://github.com/mozilla/pkipolicy/issues/186>. The third paragraph of MRSP section 5.3 currently reads, " These requirements include all cross-certificates which chain to a certificate that is included in Mozilla’s CA Certificate Program." I recommend that we change that paragraph to read as follows: "These requirements include all cross-certificates *and self-signed certificates (e.g. "Issuer" DN is equivalent to "Subject" DN and public key is signed by the private key) that* chain to a CA certificate that is included in Mozilla’s CA Certificate Program*, and CAs must disclose such CA certificates in the CCADB*. I welcome your recommendations on how we can make this language even more clear. Thanks, Ben _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy