Hi Everyone, Section 5.3.2 of the current policy states that it applies to CAs "capable of issuing working server or email certificates". We could have made it clearer that unexpired but revoked CA certificates had to be reported in the CCADB so that they can be added to OneCRL. I have opened Issue #250 in Github [1] to amend the policy to expressly mention revoked CA certificates and the exclusion of expired CA certificates. We could also possibly remove CAs capable of issuing working email certificates, but that will require more discussion during the next policy-revision cycle. Finally, the size of some name-constrained CA certificates may be too large to submit through the current CCADB interface. If that is the case, then they can be uploaded to Bugzilla as attachments to a non-incident bug. Do these suggestions work? Thanks, Ben
[1] https://github.com/mozilla/pkipolicy/issues/250 On Wed, Jun 29, 2022 at 4:21 AM Rob Stradling <[email protected]> wrote: > Hi Ben. Are you able to provide an update yet? It would be really > helpful if Mozilla's interpretation of the new disclosure requirement could > be made clear before that requirement comes into force on Friday! > > ------------------------------ > *From:* Ben Wilson <[email protected]> > *Sent:* 24 June 2022 17:19 > *To:* Rob Stradling <[email protected]> > *Cc:* Dimitris Zacharopoulos <[email protected]>; [email protected] > <[email protected]> > *Subject:* Re: Draft May 2022 CA Communication and Survey > > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > Hi Rob and Dimitris, > I think you're correct, but let me confirm and get back to you. > Ben > > > On Fri, Jun 24, 2022 at 10:10 AM 'Rob Stradling' via > [email protected] <[email protected]> wrote: > > Hi Dimitris. IIUC, you're suggesting that revocation of a Sub-CA > certificate via CRL and/or OCSP is sufficient to prevent leaf certificates > from "working". I understand why you might think this, but I don't think > it's Mozilla's view. > > My understanding is that Mozilla only considers a Sub-CA certificate to be > fully revoked if it's included in OneCRL (or if the "parent" Sub-CA > certificate(s) is/are included in OneCRL), and that Mozilla will typically > only include a Sub-CA certificate in OneCRL if it has first been disclosed > to CCADB as "Revoked". AFAICT from the latest Policy, > technically-constrained Sub-CA certificates and unconstrained Sub-CA > certificates are now treated identically in this regard. The implication, > I think, is that leaf certificates are considered by Mozilla to be > "working" unless one or more Sub-CA certificates in each potential trust > chain are revoked via OneCRL. > > Obviously I don't speak for Mozilla though. 🙂 > > Ben, Kathleen: Please could I ask one of you to clarify Mozilla's > viewpoint on this matter? > ------------------------------ > *From:* Dimitris Zacharopoulos <[email protected]> > *Sent:* 24 June 2022 13:27 > *To:* Rob Stradling <[email protected]>; [email protected] < > [email protected]> > *Subject:* Re: Draft May 2022 CA Communication and Survey > > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > Hi Rob, > > I believe the requirement does not include the disclosure of Revoked > subCAs as they are not *"technically capable of issuing working server or > email certificates"*. > > > Thanks, > Dimitris. > > On 24/6/2022 3:13 μ.μ., 'Rob Stradling' via > [email protected] wrote: > > Hi. This is a friendly reminder about the recent Mozilla Root Store > Policy update[1] that was communicated in ITEM 7 *(Publicly Disclose > Intermediate CA Certificates capable of Issuing TLS or SMIME...in the CCADB > by July 1, 2022, even if they are technically constrained)* of the May > 2022 CA Communication and Survey. > > Today I've updated https://crt.sh/mozilla-disclosures > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lkaKOG%2B0qZlXR%2BdvFwXMxSUsEb3V1JKJucFmB4xBzp0%3D&reserved=0> > to > bring it in line with this Policy update. > > crt.sh currently knows of 40 technically-constrained CA certificates [2] > that are *"capable of issuing working server or email certificates"* but > that have not yet been disclosed to the CCADB. Since some of these CA > certificates were issued by CAs whose response to ITEM 7 was *"The CCADB > already contains all our CA certificates capable of issuing working server > or email certificates, including those that are technically constrained"* [3], > I would like to encourage CA operators to take another look at this topic > to ensure that their CA is compliant by the upcoming July 1st deadline. > > > [1] > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#5-certificates:~:text=Name%2Dconstrained%20CA%20certificates%20that%20are%20technically%20capable%20of%20issuing%20working%20server%20or%20email%20certificates%20that%20were%20exempt%20from%20disclosure%20in%20previous%20versions%20of%20this%20policy%20MUST%20be%20disclosed%20in%20the%20CCADB%20prior%20to%20July%201%2C%202022. > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mozilla.org%2Fen-US%2Fabout%2Fgovernance%2Fpolicies%2Fsecurity-group%2Fcerts%2Fpolicy%2F%235-certificates%3A~%3Atext%3DName-constrained%2520CA%2520certificates%2520that%2520are%2520technically%2520capable%2520of%2520issuing%2520working%2520server%2520or%2520email%2520certificates%2520that%2520were%2520exempt%2520from%2520disclosure%2520in%2520previous%2520versions%2520of%2520this%2520policy%2520MUST%2520be%2520disclosed%2520in%2520the%2520CCADB%2520prior%2520to%2520July%25201%252C%25202022.&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KC9nmdHThSudvvA%2BxO5gf5jGhCCl6htbsRmc1YonXds%3D&reserved=0> > > [2] https://crt.sh/mozilla-disclosures#constrained > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures%23constrained&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sOCRipmuQxrsCKioovuGfuFOdI%2B%2FGDC7hNQlQXSL8aM%3D&reserved=0> > > [3] > https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00175,Q00176 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fmozillacommunications%2FCACommResponsesOnlyReport%3FCommunicationId%3Da058Z000013UmsDQAS%26QuestionId%3DQ00175%2CQ00176&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Nir1Ns8Smg4NJi24OpZAxWYCzMQa79lt02ruSfC%2B7wQ%3D&reserved=0> > > ------------------------------ > *From:* [email protected] <[email protected]> > <[email protected]> on behalf of Ben Wilson > <[email protected]> <[email protected]> > *Sent:* 16 May 2022 21:50 > *To:* [email protected] <[email protected]> > <[email protected]> > *Subject:* Re: Draft May 2022 CA Communication and Survey > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > All, > I'm going to hit "send" on the May 2022 CA Communication and Survey this > afternoon. CA responses will be made available at > https://wiki.mozilla.org/CA/Communications#May_2022_Responses > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.mozilla.org%2FCA%2FCommunications%23May_2022_Responses&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nnVXKYJFgMKeebikiPDHZVK11Tj%2FCHQQT9H%2FSPfMXJg%3D&reserved=0> > . > Thanks, > Ben > > On Thu, May 12, 2022 at 2:43 PM Ben Wilson <[email protected]> wrote: > > All, > > Please review and provide feedback on the following draft of the May 2022 > CA Communication and Survey that we plan to send to CAs in the Mozilla root > store: > > https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a058Z000013UmsDQAS > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fmozillacommunications%2FCACommunicationSurveySample%3FCACommunicationId%3Da058Z000013UmsDQAS&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZzkCUCLjQV9hD4BroLd2N9id%2F3VzTOsSBjfGtlcRv18%3D&reserved=0> > > Thanks, > Ben > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" <[email protected]> group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaY8Ew-JW0k%2B5bzZc-2OGZtHQOb2J-yChCYwh0DDic59%3Dw%40mail.gmail.com > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCA%252B1gtaY8Ew-JW0k%252B5bzZc-2OGZtHQOb2J-yChCYwh0DDic59%253Dw%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=G4Jhgx058oANxvbilWbg5leulBIaBqIVWawPv%2FclWx8%3D&reserved=0> > . > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" <[email protected]> group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729D9ABE96ABF0BD80990C6AAB49%40MW4PR17MB4729.namprd17.prod.outlook.com > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FMW4PR17MB4729D9ABE96ABF0BD80990C6AAB49%2540MW4PR17MB4729.namprd17.prod.outlook.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ViYwp9RUoReMSGzeCu2y7DPj8spVUka7nfHKlRhpLs0%3D&reserved=0> > . > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47299ECF1CC5C8E7C98431E3AAB49%40MW4PR17MB4729.namprd17.prod.outlook.com > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FMW4PR17MB47299ECF1CC5C8E7C98431E3AAB49%2540MW4PR17MB4729.namprd17.prod.outlook.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zcM%2Bwx34xDu1DS268L1ye4p4ADudAxJ1ZIbgn8kc7Bk%3D&reserved=0> > . > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabRUYuscZiz9Sp1X%3DQdY0tj606U_--gtdm6NPvGHhny0Q%40mail.gmail.com.
