Hi Dimitris. IIUC, you're suggesting that revocation of a Sub-CA certificate via CRL and/or OCSP is sufficient to prevent leaf certificates from "working". I understand why you might think this, but I don't think it's Mozilla's view.
My understanding is that Mozilla only considers a Sub-CA certificate to be fully revoked if it's included in OneCRL (or if the "parent" Sub-CA certificate(s) is/are included in OneCRL), and that Mozilla will typically only include a Sub-CA certificate in OneCRL if it has first been disclosed to CCADB as "Revoked". AFAICT from the latest Policy, technically-constrained Sub-CA certificates and unconstrained Sub-CA certificates are now treated identically in this regard. The implication, I think, is that leaf certificates are considered by Mozilla to be "working" unless one or more Sub-CA certificates in each potential trust chain are revoked via OneCRL. Obviously I don't speak for Mozilla though. ?? Ben, Kathleen: Please could I ask one of you to clarify Mozilla's viewpoint on this matter? ________________________________ From: Dimitris Zacharopoulos <[email protected]> Sent: 24 June 2022 13:27 To: Rob Stradling <[email protected]>; [email protected] <[email protected]> Subject: Re: Draft May 2022 CA Communication and Survey CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Rob, I believe the requirement does not include the disclosure of Revoked subCAs as they are not "technically capable of issuing working server or email certificates". Thanks, Dimitris. On 24/6/2022 3:13 μ.μ., 'Rob Stradling' via [email protected]<mailto:[email protected]> wrote: Hi. This is a friendly reminder about the recent Mozilla Root Store Policy update[1] that was communicated in ITEM 7 (Publicly Disclose Intermediate CA Certificates capable of Issuing TLS or SMIME...in the CCADB by July 1, 2022, even if they are technically constrained) of the May 2022 CA Communication and Survey. Today I've updated https://crt.sh/mozilla-disclosures<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=r%2Fe4wEce6nDJfRBW9f%2F4nponUBeM64ixg09yh%2BnHuD0%3D&reserved=0> to bring it in line with this Policy update. crt.sh currently knows of 40 technically-constrained CA certificates [2] that are "capable of issuing working server or email certificates" but that have not yet been disclosed to the CCADB. Since some of these CA certificates were issued by CAs whose response to ITEM 7 was "The CCADB already contains all our CA certificates capable of issuing working server or email certificates, including those that are technically constrained" [3], I would like to encourage CA operators to take another look at this topic to ensure that their CA is compliant by the upcoming July 1st deadline. [1] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#5-certificates:~:text=Name%2Dconstrained%20CA%20certificates%20that%20are%20technically%20capable%20of%20issuing%20working%20server%20or%20email%20certificates%20that%20were%20exempt%20from%20disclosure%20in%20previous%20versions%20of%20this%20policy%20MUST%20be%20disclosed%20in%20the%20CCADB%20prior%20to%20July%201%2C%202022.<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mozilla.org%2Fen-US%2Fabout%2Fgovernance%2Fpolicies%2Fsecurity-group%2Fcerts%2Fpolicy%2F%235-certificates%3A~%3Atext%3DName-constrained%2520CA%2520certificates%2520that%2520are%2520technically%2520capable%2520of%2520issuing%2520working%2520server%2520or%2520email%2520certificates%2520that%2520were%2520exempt%2520from%2520disclosure%2520in%2520previous%2520versions%2520of%2520this%2520policy%2520MUST%2520be%2520disclosed%2520in%2520the%2520CCADB%2520prior%2520to%2520July%25201%252C%25202022.&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=aF%2BRAnfdXztceiPPyrDrQ8AndwkQvUcCflxL4fE0rII%3D&reserved=0> [2] https://crt.sh/mozilla-disclosures#constrained<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures%23constrained&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=R9Tik2uOdg1O5bOCwUVKcftDlIwPqgdwdlcPXclCSO8%3D&reserved=0> [3] https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00175,Q00176<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fmozillacommunications%2FCACommResponsesOnlyReport%3FCommunicationId%3Da058Z000013UmsDQAS%26QuestionId%3DQ00175%2CQ00176&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=59KZ4eSS51kTFlOXsZ6WxXMBcL4b36H%2F2Ew7XklqY9I%3D&reserved=0> ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]><mailto:[email protected]> on behalf of Ben Wilson <[email protected]><mailto:[email protected]> Sent: 16 May 2022 21:50 To: [email protected]<mailto:[email protected]> <[email protected]><mailto:[email protected]> Subject: Re: Draft May 2022 CA Communication and Survey CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. All, I'm going to hit "send" on the May 2022 CA Communication and Survey this afternoon. CA responses will be made available at https://wiki.mozilla.org/CA/Communications#May_2022_Responses<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.mozilla.org%2FCA%2FCommunications%23May_2022_Responses&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=dHipQFKbS%2BfhDffjToxkzSDBWuxK1UnXlzXsf8FcVtY%3D&reserved=0>. Thanks, Ben On Thu, May 12, 2022 at 2:43 PM Ben Wilson <[email protected]<mailto:[email protected]>> wrote: All, Please review and provide feedback on the following draft of the May 2022 CA Communication and Survey that we plan to send to CAs in the Mozilla root store: https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a058Z000013UmsDQAS<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fmozillacommunications%2FCACommunicationSurveySample%3FCACommunicationId%3Da058Z000013UmsDQAS&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=dyKvcs9uF1GAwXV%2FmXR0IcfHCSAX7PDWUWu0kPunBkM%3D&reserved=0> Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]"<mailto:[email protected]> group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaY8Ew-JW0k%2B5bzZc-2OGZtHQOb2J-yChCYwh0DDic59%3Dw%40mail.gmail.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCA%252B1gtaY8Ew-JW0k%252B5bzZc-2OGZtHQOb2J-yChCYwh0DDic59%253Dw%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=%2FuzCKamCt4ChAFzMWBg%2FRfnY7V4aECsiSa0Cb%2BU4d9U%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]"<mailto:[email protected]> group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729D9ABE96ABF0BD80990C6AAB49%40MW4PR17MB4729.namprd17.prod.outlook.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FMW4PR17MB4729D9ABE96ABF0BD80990C6AAB49%2540MW4PR17MB4729.namprd17.prod.outlook.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=kn5RDSwlkWmPf4%2FNB4jFnn4BUsOMvo9o00HP6bIY%2FGI%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47299ECF1CC5C8E7C98431E3AAB49%40MW4PR17MB4729.namprd17.prod.outlook.com.
