2022-02-17 01:10 GMT-05:00 'Brittany Randall' via [email protected] <[email protected]>: > This is to announce and begin public discussion of GoDaddy’s intent to use > its publicly trusted Starfield Root Certificate Authority - G2 > (https://crt.sh/?caid=796) to create two new external subordinate CA > certificates to be operated and maintained by Certainly, LLC. These will be > cross-certificates sharing their respective key pairs with subordinate CA > certificates signed by two Certainly Root CAs that are pending inclusion > (https://bugzilla.mozilla.org/show_bug.cgi?id=1727941). >
At a high level, I can't personally see why the process for approving a new externally-operated unconstrained cross-sign should be less onerous and thorough than the process to include a new root. Allowing externally-operated cross-signs is beneficial in that it allows new CAs to bootstrap without crippling ubiquity issues, but there is no value in it being a shortcut in the inclusion process. In both cases the first-order risk to users is the same (if we discount the issuing CA's oversight according to the track record of relying on CAs for self-oversight), and if we consider the ecosystem complexity of remedial actions the cross-sign is in fact riskier, as Ryan points out. If this cross-sign is approved before the root inclusion is, it should follow that the natural path for a new CA is to 1) file an inclusion request, 2) obtain a cross-sign, and 3) eventually address the concerns raised by the inclusion process but not by the cross-sign discussion. If we believe the inclusion process is not capable of raising additional concerns on top of those of the cross-sign discussion, then the former should be made more lightweight to match the latter. If we believe the inclusion process *is* capable of raising additional concerns, then the cross-sign bypasses that important part of the process, and renders it moot. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/cc837b2e-fa10-4417-bebc-65a3e542126d%40www.fastmail.com.
