Earlier in this thread, Ryan Sleevi wrote:
> For what it’s worth, I think you can separate out the replacement part with
> the remediation part.
Hi Ryan (Dickson).
Regarding your first thought, I understand you're stating that replacing
("modifying") root certificates is something that CAs are permitted to do
today; and indeed, I haven't yet seen anyone suggest otherwise.
However, I'm not clear if you intended your post to also convey an opinion on
Ryan Sleevi's view (expressed at
https://www.mail-archive.com/[email protected]/msg00224.html and
in https://bugzilla.mozilla.org/show_bug.cgi?id=1741777) that the GTS and
Sectigo root replacement plans will not actually remediate the perceived
non-compliance issue. Please could you clarify the Chrome Root Authority
Program's view on this?
________________________________
From: 'Ryan Dickson' via [email protected]
<[email protected]>
Sent: 08 December 2021 12:58
To: Kathleen Wilson <[email protected]>
Cc: [email protected] <[email protected]>; Ryan
Sleevi <[email protected]>; Ben Wilson <[email protected]>
Subject: Re: Root Replacement with digitalSignature Key Usage to Sign OCSP
responses
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
[Posting on behalf of Google Chrome]
Hi Ben,
A few thoughts for last week's discussion, sorry for the delay:
1. We do not feel that this discussion should delay Sectigo’s remediation
planning to align with the BRs or the inclusion of any other approved root that
previously performed the same type of certificate modification. Unless/until
this behavior is explicitly prohibited, it’s unfair to change course now.
2. The primary concern in Sectigo’s case is that their Web PKI CP and CPS
indicate, “Sectigo does not offer Certificate modification. Instead, Sectigo
will revoke the old Certificate and issue a new Certificate as a replacement.”
3. Long-term, to reduce the potential for interoperability issues and
promote simplicity, should we look to prohibit both CA certificate renewal and
modification and instead promote the establishment of new CAs (encouraging
crypto agility) - either through the BRs or by way of root program
requirements? If this discussion is best served in a separate thread to avoid
detracting from the immediate issue at hand, no problem.
4. In the spirit of points above, and alongside personal views shared by
Ryan Sleevi, a root transition and subsequent CA decommissioning would be the
optimal path forward to comply with the commitments made in Sectigo’s policies
and, by extension, the BRs.
Thanks,
Ryan
On Thu, Dec 2, 2021 at 4:29 PM Kathleen Wilson
<[email protected]<mailto:[email protected]>> wrote:
>> replacement is separate from, and neither here nor there, for remediation
>> of the issue, objectively and technically speaking
Given this information, and that Bug
#1735407<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1735407&data=04%7C01%7Crob%40sectigo.com%7C2f9e1c34660c4428144008d9ba4a7e6f%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637745651391967968%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Lp7O2BfZ230jSDSz%2FRx6gi%2BT%2Fc0X6CCkzLhM1Li5HfY%3D&reserved=0>
is about replacing currently-included root certificates so it does not add
risk, I will keep Bug
#1735407<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1735407&data=04%7C01%7Crob%40sectigo.com%7C2f9e1c34660c4428144008d9ba4a7e6f%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637745651391967968%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Lp7O2BfZ230jSDSz%2FRx6gi%2BT%2Fc0X6CCkzLhM1Li5HfY%3D&reserved=0>
in the December 2021 batch of root changes.
Thanks,
Kathleen
--
You received this message because you are subscribed to the Google Groups
"[email protected]<mailto:[email protected]>" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
[email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/98f61dfe-6389-4fbb-b611-fe73b336addbn%40mozilla.org<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2F98f61dfe-6389-4fbb-b611-fe73b336addbn%2540mozilla.org%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Crob%40sectigo.com%7C2f9e1c34660c4428144008d9ba4a7e6f%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637745651391977930%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZjhrgXDnjyP0zzATuh9YR%2FqH%2Bzi7e7MT9lHHeYHXjs4%3D&reserved=0>.
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
[email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADEW5O9YnCy3%2Bcgcygs084Q4_bg_4i5xqrLseK_Syb3NqL7puw%40mail.gmail.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCADEW5O9YnCy3%252Bcgcygs084Q4_bg_4i5xqrLseK_Syb3NqL7puw%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Crob%40sectigo.com%7C2f9e1c34660c4428144008d9ba4a7e6f%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637745651391987882%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=jEekjDApqUxHXlE%2Bsa%2BZy9hpfsT9aoSEN1lf3jS6eLo%3D&reserved=0>.
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729D1AB85AFBD8C86E5F1F2AA719%40MW4PR17MB4729.namprd17.prod.outlook.com.
