Hi Ben, Does Mozilla allow for the inclusion of non-self-signed certificates as trust anchors? From a BR standpoint, the Root Certificate is self-signed (“Root Certificate” is defined as “The self-signed Certificate issued by the Root CA to identify itself and to facilitate verification of Certificates issued to its Subordinate CAs.”). If I recall correctly, there were historical exceptions to this, but I don’t believe there have been any recently.
If Mozilla does not allow for the inclusion of non-self-signed certificates as trust anchors, then I think the entire section can be deleted as the “intermediate” CA (relative to another PKI hierarchy, presumably “private”) can certify itself and have the self-signed certificate included in Mozilla. Thanks, Corey From: Ben Wilson <[email protected]> Sent: Wednesday, April 20, 2022 2:00 PM To: Corey Bonnell <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: Policy 2.8: Final Review of MRSP v. 2.8 Thanks, Corey. I'm wondering whether we should salvage anything in that section? We could rename it "Other PKI Hierarchies", delete the second paragraph and other wording that refers to "non-disclosable", etc., and make other tweaks to keep the section and the discussion of submitting an intermediate CA certificate as a trust anchor. Thoughts anyone? Thanks again, Ben On Wed, Apr 20, 2022 at 11:12 AM Corey Bonnell <[email protected] <mailto:[email protected]> > wrote: Hi Ben, I believe the “Non-disclosable Intermediate Certificates” section of the “CA/Subordinate CA Checklist” Wiki page [1] should be deleted given that Mozilla is now requiring the disclosure of all TCSA certificates, regardless of technical constraints. Thanks, Corey [1] https://wiki.mozilla.org/CA/Subordinate_CA_Checklist#Non-disclosable_Intermediate_Certificates From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Ben Wilson Sent: Wednesday, April 13, 2022 1:18 PM To: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > Subject: Policy 2.8: Final Review of MRSP v. 2.8 All, Here are links helpful during your final review of version 2.8 of the Mozilla Root Store Policy (MRSP) : https://github.com/BenWilson-Mozilla/pkipolicy/blob/2.8/rootstore/policy.md https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.8 (redlined) Please review the changes and provide any additional comments by the end of Tuesday, April 19, 2022. My plan is to move this version over to the Mozilla pkipolicy repository on Github <https://github.com/mozilla/pkipolicy/tree/master/rootstore> , and then I'll request that it be published on Mozilla's website <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/> to replace version 2.7.1. Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected] <mailto:[email protected]> " group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB2186398BBB13044F2C340D3692F59%40DM6PR14MB2186.namprd14.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
