Hi Dimitris, well, I’ve opened the Pull Request that introduced this sentence to the policy and it was not my intention. Disclose also TCSC to CCADB by RufusJWB · Pull Request #229 · mozilla/pkipolicy (github.com)<https://github.com/mozilla/pkipolicy/pull/229> . But you are right, it was never explicitly stated in the discussion.
/Rufus From: [email protected] <[email protected]> On Behalf Of Dimitris Zacharopoulos Sent: Friday, 24 June 2022 20:18 To: Buschart, Rufus (IT IPS SIP ET) <[email protected]> Cc: Stephen Davidson <[email protected]>; Rob Stradling <[email protected]>; [email protected] <[email protected]> Subject: Re: Draft May 2022 CA Communication and Survey Hi Rufus, If you can point us to the specific messages of the thread, it would be really helpful. Thanks, DZ. Jun 24, 2022 21:13:05 Buschart, Rufus <[email protected]<mailto:[email protected]>>: Hi! Remembering the discussion while creating this policy sentence, I think it was never the intend to include expired or revoked ICAs in CCADB. /Rufus From: 'Stephen Davidson' via [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Sent: Friday, 24 June 2022 19:48 To: Dimitris Zacharopoulos <[email protected]<mailto:[email protected]>>; Rob Stradling <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: RE: Draft May 2022 CA Communication and Survey Hello: I agree with Dimitris. The CAs I am familiar with on your list were revoked before there was a requirement for them to be disclosed in CCADB, and in any case do not have remaining leaf certificates within their respective validity periods. In short, the CAs are not capable of issuing working certs today, and none of their previous leaf certs should be working. Also, a number of those CAs are email. Is oneCRL used for non-TLS? It would be helpful for a policy clarification if there is a new requirement to report ICAs that were discontinued before the respective CCADB requirements. It is potentially a large number of CAs. Regards, Stephen From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> On Behalf Of Dimitris Zacharopoulos Sent: Friday, June 24, 2022 9:27 AM To: Rob Stradling <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: Draft May 2022 CA Communication and Survey Hi Rob, I believe the requirement does not include the disclosure of Revoked subCAs as they are not "technically capable of issuing working server or email certificates". Thanks, Dimitris. On 24/6/2022 3:13 μ.μ., 'Rob Stradling' via [email protected]<mailto:[email protected]> wrote: Hi. This is a friendly reminder about the recent Mozilla Root Store Policy update[1] that was communicated in ITEM 7 (Publicly Disclose Intermediate CA Certificates capable of Issuing TLS or SMIME...in the CCADB by July 1, 2022, even if they are technically constrained) of the May 2022 CA Communication and Survey. Today I've updated https://crt.sh/mozilla-disclosures<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures&data=05%7C01%7Crufus.buschart%40siemens.com%7C6d3e83215bef457dad9e08da560def75%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637916915102652557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=vVK6SH5IuwTcemT4Raj6klwhsLEjS%2F6dg0snEXqMgDo%3D&reserved=0> to bring it in line with this Policy update. crt.sh currently knows of 40 technically-constrained CA certificates [2] that are "capable of issuing working server or email certificates" but that have not yet been disclosed to the CCADB. Since some of these CA certificates were issued by CAs whose response to ITEM 7 was "The CCADB already contains all our CA certificates capable of issuing working server or email certificates, including those that are technically constrained" [3], I would like to encourage CA operators to take another look at this topic to ensure that their CA is compliant by the upcoming July 1st deadline. [1] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#5-certificates:~:text=Name%2Dconstrained%20CA%20certificates%20that%20are%20technically%20capable%20of%20issuing%20working%20server%20or%20email%20certificates%20that%20were%20exempt%20from%20disclosure%20in%20previous%20versions%20of%20this%20policy%20MUST%20be%20disclosed%20in%20the%20CCADB%20prior%20to%20July%201%2C%202022.<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mozilla.org%2Fen-US%2Fabout%2Fgovernance%2Fpolicies%2Fsecurity-group%2Fcerts%2Fpolicy%2F%235-certificates%3A~%3Atext%3DName-constrained%2520CA%2520certificates%2520that%2520are%2520technically%2520capable%2520of%2520issuing%2520working%2520server%2520or%2520email%2520certificates%2520that%2520were%2520exempt%2520from%2520disclosure%2520in%2520previous%2520versions%2520of%2520this%2520policy%2520MUST%2520be%2520disclosed%2520in%2520the%2520CCADB%2520prior%2520to%2520July%25201%252C%25202022.&data=05%7C01%7Crufus.buschart%40siemens.com%7C6d3e83215bef457dad9e08da560def75%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637916915102652557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=dbZ2hkAN9xNsllJJhgn03aLGp6X8w1DtV78mdqUmZps%3D&reserved=0> [2] https://crt.sh/mozilla-disclosures#constrained<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures%23constrained&data=05%7C01%7Crufus.buschart%40siemens.com%7C6d3e83215bef457dad9e08da560def75%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637916915102652557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=EjVVYmE54O8lxwmJpMki4DOz%2FRuz6Dym7ERVDT%2BQ%2Fcw%3D&reserved=0> [3] https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00175,Q00176<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fmozillacommunications%2FCACommResponsesOnlyReport%3FCommunicationId%3Da058Z000013UmsDQAS%26QuestionId%3DQ00175%2CQ00176&data=05%7C01%7Crufus.buschart%40siemens.com%7C6d3e83215bef457dad9e08da560def75%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637916915102652557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=%2B7x4mejoak8zfjF0qlDB9xqhP0nppBlHqGlrDp25JNk%3D&reserved=0> ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]><mailto:[email protected]> on behalf of Ben Wilson <[email protected]><mailto:[email protected]> Sent: 16 May 2022 21:50 To: [email protected]<mailto:[email protected]> <[email protected]><mailto:[email protected]> Subject: Re: Draft May 2022 CA Communication and Survey CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. All, I'm going to hit "send" on the May 2022 CA Communication and Survey this afternoon. CA responses will be made available at https://wiki.mozilla.org/CA/Communications#May_2022_Responses<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.mozilla.org%2FCA%2FCommunications%23May_2022_Responses&data=05%7C01%7Crufus.buschart%40siemens.com%7C6d3e83215bef457dad9e08da560def75%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637916915102652557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=ceVARDHBzKuWx3m0lzoIhxZR%2FJEgJcN1hoC3RqvPICg%3D&reserved=0>. Thanks, Ben On Thu, May 12, 2022 at 2:43 PM Ben Wilson <[email protected]<mailto:[email protected]>> wrote: All, Please review and provide feedback on the following draft of the May 2022 CA Communication and Survey that we plan to send to CAs in the Mozilla root store: https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a058Z000013UmsDQAS<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fmozillacommunications%2FCACommunicationSurveySample%3FCACommunicationId%3Da058Z000013UmsDQAS&data=05%7C01%7Crufus.buschart%40siemens.com%7C6d3e83215bef457dad9e08da560def75%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637916915102652557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=lV%2FSYyT%2BTHJti9%2FgzXIlyw2O4vWb6ngBRVOEHnSeMN4%3D&reserved=0> Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]"<mailto:[email protected]> group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaY8Ew-JW0k%2B5bzZc-2OGZtHQOb2J-yChCYwh0DDic59%3Dw%40mail.gmail.com<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCA%252B1gtaY8Ew-JW0k%252B5bzZc-2OGZtHQOb2J-yChCYwh0DDic59%253Dw%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crufus.buschart%40siemens.com%7C6d3e83215bef457dad9e08da560def75%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637916915102652557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=xPIBf4DyLJiMu9VwSuNu4MWTlOtcsVKFwV9Hr1L08ss%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]"<mailto:[email protected]> group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729D9ABE96ABF0BD80990C6AAB49%40MW4PR17MB4729.namprd17.prod.outlook.com<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FMW4PR17MB4729D9ABE96ABF0BD80990C6AAB49%2540MW4PR17MB4729.namprd17.prod.outlook.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crufus.buschart%40siemens.com%7C6d3e83215bef457dad9e08da560def75%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637916915102652557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=%2B6cUtpCsfjd5aKmwhju1Ca%2FoAMAJleBz%2B7H0CJYU%2BN4%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]<mailto:[email protected]>" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c939f05d-1da2-471c-7b32-9cc423e14d3a%40it.auth.gr<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2Fc939f05d-1da2-471c-7b32-9cc423e14d3a%2540it.auth.gr%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crufus.buschart%40siemens.com%7C6d3e83215bef457dad9e08da560def75%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637916915102652557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=sQU1yMChWU9JbYp7Fu9aiAdGamyAtK6XePb5GlJD32E%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]<mailto:[email protected]>" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/BL1PR14MB5143238208925BBDB2B6F61CE5B49%40BL1PR14MB5143.namprd14.prod.outlook.com<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FBL1PR14MB5143238208925BBDB2B6F61CE5B49%2540BL1PR14MB5143.namprd14.prod.outlook.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crufus.buschart%40siemens.com%7C6d3e83215bef457dad9e08da560def75%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637916915102652557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=1mJJc9ecvzqbvGLCVUd5Xxq8Qt3YHb19X8BJnmlj0c8%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]<mailto:[email protected]>" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/AM8PR10MB46584E0DF31EA236798FBC569EB49%40AM8PR10MB4658.EURPRD10.PROD.OUTLOOK.COM<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FAM8PR10MB46584E0DF31EA236798FBC569EB49%2540AM8PR10MB4658.EURPRD10.PROD.OUTLOOK.COM%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crufus.buschart%40siemens.com%7C6d3e83215bef457dad9e08da560def75%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637916915102652557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=fD9pIqDYb7T56jJxzaFph0Bbxh3SUCtgKI7FGSSXQxU%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]<mailto:[email protected]>" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f21532a0-d395-4d28-ae46-5a3494623924%40it.auth.gr<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2Ff21532a0-d395-4d28-ae46-5a3494623924%2540it.auth.gr%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crufus.buschart%40siemens.com%7C6d3e83215bef457dad9e08da560def75%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637916915102652557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=j5CRzlKtjfM7ThjF1LYaCk1oVctVMGcDBMy9VWWD2sU%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/AM8PR10MB4658B71FB286941283F2C5559EB49%40AM8PR10MB4658.EURPRD10.PROD.OUTLOOK.COM.
