Yes - Mozilla allows for the inclusion of non-self-signed certificates as trust anchors. Ben
On Wed, Apr 20, 2022 at 1:42 PM Corey Bonnell <[email protected]> wrote: > Hi Ben, > > Does Mozilla allow for the inclusion of non-self-signed certificates as > trust anchors? From a BR standpoint, the Root Certificate is self-signed > (“Root Certificate” is defined as “The self-signed Certificate issued by > the Root CA to identify itself and to facilitate verification of > Certificates issued to its Subordinate CAs.”). If I recall correctly, there > were historical exceptions to this, but I don’t believe there have been any > recently. > > > > If Mozilla does not allow for the inclusion of non-self-signed > certificates as trust anchors, then I think the entire section can be > deleted as the “intermediate” CA (relative to another PKI hierarchy, > presumably “private”) can certify itself and have the self-signed > certificate included in Mozilla. > > > > Thanks, > > Corey > > > > *From:* Ben Wilson <[email protected]> > *Sent:* Wednesday, April 20, 2022 2:00 PM > *To:* Corey Bonnell <[email protected]> > *Cc:* [email protected] <[email protected]> > *Subject:* Re: Policy 2.8: Final Review of MRSP v. 2.8 > > > > Thanks, Corey. > > > > I'm wondering whether we should salvage anything in that section? We could > rename it "Other PKI Hierarchies", delete the second paragraph and other > wording that refers to "non-disclosable", etc., and make other tweaks to > keep the section and the discussion of submitting an intermediate CA > certificate as a trust anchor. Thoughts anyone? > > > > Thanks again, > > > > Ben > > > > On Wed, Apr 20, 2022 at 11:12 AM Corey Bonnell <[email protected]> > wrote: > > Hi Ben, > > I believe the “Non-disclosable Intermediate Certificates” section of the > “CA/Subordinate CA Checklist” Wiki page [1] should be deleted given that > Mozilla is now requiring the disclosure of all TCSA certificates, > regardless of technical constraints. > > > > Thanks, > > Corey > > > > [1] > https://wiki.mozilla.org/CA/Subordinate_CA_Checklist#Non-disclosable_Intermediate_Certificates > > > > *From:* [email protected] <[email protected]> *On > Behalf Of *Ben Wilson > *Sent:* Wednesday, April 13, 2022 1:18 PM > *To:* [email protected] <[email protected]> > *Subject:* Policy 2.8: Final Review of MRSP v. 2.8 > > > > All, > > > > Here are links helpful during your final review of version 2.8 of the > Mozilla Root Store Policy (MRSP) : > > > > https://github.com/BenWilson-Mozilla/pkipolicy/blob/2.8/rootstore/policy.md > > https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.8 > (redlined) > > > > Please review the changes and provide any additional comments by the end > of Tuesday, April 19, 2022. > > > > My plan is to move this version over to the Mozilla pkipolicy repository > on Github <https://github.com/mozilla/pkipolicy/tree/master/rootstore>, > and then I'll request that it be published on Mozilla's website > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/> > to replace version 2.7.1. > > > > Thanks, > > > > Ben > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabSJ%2BuFZBzmDCmKOK7ivQXU%2By1%3DK0w61Kkwe5YONV%2Bi7g%40mail.gmail.com.
