Hi Rob and Dimitris, I think you're correct, but let me confirm and get back to you. Ben
On Fri, Jun 24, 2022 at 10:10 AM 'Rob Stradling' via [email protected] <[email protected]> wrote: > Hi Dimitris. IIUC, you're suggesting that revocation of a Sub-CA > certificate via CRL and/or OCSP is sufficient to prevent leaf certificates > from "working". I understand why you might think this, but I don't think > it's Mozilla's view. > > My understanding is that Mozilla only considers a Sub-CA certificate to be > fully revoked if it's included in OneCRL (or if the "parent" Sub-CA > certificate(s) is/are included in OneCRL), and that Mozilla will typically > only include a Sub-CA certificate in OneCRL if it has first been disclosed > to CCADB as "Revoked". AFAICT from the latest Policy, > technically-constrained Sub-CA certificates and unconstrained Sub-CA > certificates are now treated identically in this regard. The implication, > I think, is that leaf certificates are considered by Mozilla to be > "working" unless one or more Sub-CA certificates in each potential trust > chain are revoked via OneCRL. > > Obviously I don't speak for Mozilla though. 🙂 > > Ben, Kathleen: Please could I ask one of you to clarify Mozilla's > viewpoint on this matter? > ------------------------------ > *From:* Dimitris Zacharopoulos <[email protected]> > *Sent:* 24 June 2022 13:27 > *To:* Rob Stradling <[email protected]>; [email protected] < > [email protected]> > *Subject:* Re: Draft May 2022 CA Communication and Survey > > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > Hi Rob, > > I believe the requirement does not include the disclosure of Revoked > subCAs as they are not *"technically capable of issuing working server or > email certificates"*. > > > Thanks, > Dimitris. > > On 24/6/2022 3:13 μ.μ., 'Rob Stradling' via > [email protected] wrote: > > Hi. This is a friendly reminder about the recent Mozilla Root Store > Policy update[1] that was communicated in ITEM 7 *(Publicly Disclose > Intermediate CA Certificates capable of Issuing TLS or SMIME...in the CCADB > by July 1, 2022, even if they are technically constrained)* of the May > 2022 CA Communication and Survey. > > Today I've updated https://crt.sh/mozilla-disclosures > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=r%2Fe4wEce6nDJfRBW9f%2F4nponUBeM64ixg09yh%2BnHuD0%3D&reserved=0> > to > bring it in line with this Policy update. > > crt.sh currently knows of 40 technically-constrained CA certificates [2] > that are *"capable of issuing working server or email certificates"* but > that have not yet been disclosed to the CCADB. Since some of these CA > certificates were issued by CAs whose response to ITEM 7 was *"The CCADB > already contains all our CA certificates capable of issuing working server > or email certificates, including those that are technically constrained"* [3], > I would like to encourage CA operators to take another look at this topic > to ensure that their CA is compliant by the upcoming July 1st deadline. > > > [1] > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#5-certificates:~:text=Name%2Dconstrained%20CA%20certificates%20that%20are%20technically%20capable%20of%20issuing%20working%20server%20or%20email%20certificates%20that%20were%20exempt%20from%20disclosure%20in%20previous%20versions%20of%20this%20policy%20MUST%20be%20disclosed%20in%20the%20CCADB%20prior%20to%20July%201%2C%202022. > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mozilla.org%2Fen-US%2Fabout%2Fgovernance%2Fpolicies%2Fsecurity-group%2Fcerts%2Fpolicy%2F%235-certificates%3A~%3Atext%3DName-constrained%2520CA%2520certificates%2520that%2520are%2520technically%2520capable%2520of%2520issuing%2520working%2520server%2520or%2520email%2520certificates%2520that%2520were%2520exempt%2520from%2520disclosure%2520in%2520previous%2520versions%2520of%2520this%2520policy%2520MUST%2520be%2520disclosed%2520in%2520the%2520CCADB%2520prior%2520to%2520July%25201%252C%25202022.&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=aF%2BRAnfdXztceiPPyrDrQ8AndwkQvUcCflxL4fE0rII%3D&reserved=0> > > [2] https://crt.sh/mozilla-disclosures#constrained > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures%23constrained&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=R9Tik2uOdg1O5bOCwUVKcftDlIwPqgdwdlcPXclCSO8%3D&reserved=0> > > [3] > https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00175,Q00176 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fmozillacommunications%2FCACommResponsesOnlyReport%3FCommunicationId%3Da058Z000013UmsDQAS%26QuestionId%3DQ00175%2CQ00176&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=59KZ4eSS51kTFlOXsZ6WxXMBcL4b36H%2F2Ew7XklqY9I%3D&reserved=0> > > ------------------------------ > *From:* [email protected] <[email protected]> > <[email protected]> on behalf of Ben Wilson > <[email protected]> <[email protected]> > *Sent:* 16 May 2022 21:50 > *To:* [email protected] <[email protected]> > <[email protected]> > *Subject:* Re: Draft May 2022 CA Communication and Survey > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > All, > I'm going to hit "send" on the May 2022 CA Communication and Survey this > afternoon. CA responses will be made available at > https://wiki.mozilla.org/CA/Communications#May_2022_Responses > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.mozilla.org%2FCA%2FCommunications%23May_2022_Responses&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=dHipQFKbS%2BfhDffjToxkzSDBWuxK1UnXlzXsf8FcVtY%3D&reserved=0> > . > Thanks, > Ben > > On Thu, May 12, 2022 at 2:43 PM Ben Wilson <[email protected]> wrote: > > All, > > Please review and provide feedback on the following draft of the May 2022 > CA Communication and Survey that we plan to send to CAs in the Mozilla root > store: > > https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a058Z000013UmsDQAS > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fmozillacommunications%2FCACommunicationSurveySample%3FCACommunicationId%3Da058Z000013UmsDQAS&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=dyKvcs9uF1GAwXV%2FmXR0IcfHCSAX7PDWUWu0kPunBkM%3D&reserved=0> > > Thanks, > Ben > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" <[email protected]> group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaY8Ew-JW0k%2B5bzZc-2OGZtHQOb2J-yChCYwh0DDic59%3Dw%40mail.gmail.com > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCA%252B1gtaY8Ew-JW0k%252B5bzZc-2OGZtHQOb2J-yChCYwh0DDic59%253Dw%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=%2FuzCKamCt4ChAFzMWBg%2FRfnY7V4aECsiSa0Cb%2BU4d9U%3D&reserved=0> > . > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" <[email protected]> group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729D9ABE96ABF0BD80990C6AAB49%40MW4PR17MB4729.namprd17.prod.outlook.com > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FMW4PR17MB4729D9ABE96ABF0BD80990C6AAB49%2540MW4PR17MB4729.namprd17.prod.outlook.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7Cc918667f08b045b452f108da55dce7a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916705427693111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=kn5RDSwlkWmPf4%2FNB4jFnn4BUsOMvo9o00HP6bIY%2FGI%3D&reserved=0> > . > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47299ECF1CC5C8E7C98431E3AAB49%40MW4PR17MB4729.namprd17.prod.outlook.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47299ECF1CC5C8E7C98431E3AAB49%40MW4PR17MB4729.namprd17.prod.outlook.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabSsVBpHVsFV5vbqVvNedCpugmQq%2BFU63tAD2RePtA-MQ%40mail.gmail.com.
