All, This email introduces another issue selected to be addressed in the next version of the Mozilla Root Store Policy (MSRP), version 2.8, to be published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8)
This is Github Issue #229 <https://github.com/mozilla/pkipolicy/issues/229>. This issue was previously discussed here: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XsVpyOGlagE/m/xw8JGJYZBAAJ . The proposal is that by July 1, 2022, CAs would have to report all technically constrained CAs in the CCADB. Currently, MRSP § 5.3 <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#53-intermediate-certificates> says, "All certificates that are capable of being used to issue new certificates and that directly or transitively chain to a CA certificate included in Mozilla’s CA Certificate Program MUST be operated in accordance with this policy and MUST either be technically constrained or be publicly disclosed and audited. ... Thus, the operator of a CA certificate trusted in Mozilla’s CA Certificate Program MUST disclose in the CCADB all non-technically constrained CA certificates they issue that chain up to that CA certificate trusted in Mozilla’s CA Certificate Program. This applies to all non-technically constrained CA certificates, including those that share the same key pair whether they are self-signed, doppelgänger, reissued, cross-signed, or other roots." MRSP§ 5.3.2 <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#532-publicly-disclosed-and-audited> would require a slight modification, as well. It states, "All certificates that are capable of being used to issue new certificates, that are not technically constrained, and that directly or transitively chain to a certificate included in Mozilla’s root program: ... MUST be publicly disclosed in the CCADB by the CA that has their certificate included in Mozilla’s root program." I have made an attempt to address this further with some commits in my GitHub repository: https://github.com/mozilla/pkipolicy/compare/1829373903c8d58246c781ee11ea77d6d386985a... e6550dba22ed38ac6bdd33677a8bf3d2f00e75de Among other changes, these commits: 1. Move the 4th paragraph in MRSP § 5.3 to the first paragraph of § 5.3.2. 2. Move content from the second bullet in MRSP § 5.3.2 to the first paragraph and eliminate the bulleted list. 3. Delete the sentence, "All disclosure MUST be made freely available and without additional requirements, including, but not limited to, registration, legal agreements, or restrictions on redistribution of the certificates in whole or in part" because it no longer makes sense in the context of CA certificate disclosure. (Similar language could be added to MRSP §3.1.4 <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#314-public-audit-information>, but it already requires publicly available audit documentation.) Please provide any additional comments you may have regarding the requirement that CAs disclose all subordinate CAs, regardless of whether they are technically constrained. Thanks, Ben Wilson Mozilla Root Program Manager -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabeEpy0MuuULsBR2vJicU8jvOedq2XeqzFSH9WvU4soNQ%40mail.gmail.com.
