> Perhaps add: "And also include any other certificates sharing the same > private/public key pairs as certificates already included in the > requirements." (this covers the situation you mentioned where a > self-signed certificate shares the key pair of a certificate that chains > to an included root).
Jakob, I agree that that would cover that situation, but your proposed language goes way, way too far. Any private CA could cross-certify a publicly-trusted root CA. How would the publicly-trusted CA Operator discover such a cross-certificate? Why would such a cross-certificate be of interest to Mozilla anyway? Would it really be fair for non-disclosure of such a cross-certificate to be considered a policy violation? ________________________________ From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> on behalf of Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> Sent: 29 October 2020 14:57 To: mozilla-dev-security-pol...@lists.mozilla.org <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Policy 2.7.1: MRSP Issue #186: Requirement to Disclose Self-signed Certificates CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On 2020-10-29 01:25, Ben Wilson wrote: > Issue #186 in Github > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F186&data=04%7C01%7Crob%40sectigo.com%7C3bdb53393f1f4056b59e08d87c1aff51%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637395802683146795%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ux32CpUMi7X31uD0W%2BsLV%2Bpgrv3lHgCbdZ%2BhVj2UlbA%3D&reserved=0> > deals with the disclosure of CA certificates that directly or transitively > chain up to an already-trusted, Mozilla-included root. A common scenario > for the situation discussed in Issue #186 is when a CA creates a second (or > third or fourth) root certificate with the same key pair as the root that > is already in the Mozilla Root Store. This problem exists at the > intermediate-CA-certificate level, too, where a self-signed > intermediate/subordinate CA certificate is created and not reported. > > Public disclosure of such certificates is already required by section 5.3 > of the MRSP, which reads, "All certificates that are capable of being used > to issue new certificates, and which directly or transitively chain to a > certificate included in Mozilla’s CA Certificate Program, MUST be operated > in accordance with this policy and MUST either be technically constrained > or be publicly disclosed and audited." > > There have been several instances where a CA operator has not disclosed a > CA certificate under the erroneous belief that because it is self-signed it > cannot be trusted in a certificate chain beneath the already-trusted, > Mozilla-included CA. This erroneous assumption is further discussed in Issue > #186 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F186&data=04%7C01%7Crob%40sectigo.com%7C3bdb53393f1f4056b59e08d87c1aff51%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637395802683146795%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ux32CpUMi7X31uD0W%2BsLV%2Bpgrv3lHgCbdZ%2BhVj2UlbA%3D&reserved=0>. > > The third paragraph of MRSP section 5.3 currently reads, " These > requirements include all cross-certificates which chain to a certificate > that is included in Mozilla’s CA Certificate Program." > > I recommend that we change that paragraph to read as follows: > > "These requirements include all cross-certificates *and self-signed > certificates (e.g. "Issuer" DN is equivalent to "Subject" DN and public key > is signed by the private key) that* chain to a CA certificate that is > included in Mozilla’s CA Certificate Program*, and CAs must disclose such > CA certificates in the CCADB*. > > I welcome your recommendations on how we can make this language even more > clear. > Perhaps add: "And also include any other certificates sharing the same private/public key pairs as certificates already included in the requirements." (this covers the situation you mentioned where a self-signed certificate shares the key pair of a certificate that chains to an included root). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wisemo.com%2F&data=04%7C01%7Crob%40sectigo.com%7C3bdb53393f1f4056b59e08d87c1aff51%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637395802683146795%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sJ1Ar%2BE7qnVvPTdqdGEIKj25tRlyDLX%2F2sbqj4v9%2BlY%3D&reserved=0 Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy&data=04%7C01%7Crob%40sectigo.com%7C3bdb53393f1f4056b59e08d87c1aff51%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637395802683156751%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MFMGD3gQ%2FvhSkbR1jy4GcefGzJHIaWt02bR1Pq6V%2BKk%3D&reserved=0 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy