Will the due date for these ICAs change? The requirement around revoked CAs definitely wasn’t clear. Getting everyone to upload and post by July 1 is a tight deadline. ________________________________ From: [email protected] <[email protected]> on behalf of Ben Wilson <[email protected]> Sent: Wednesday, June 29, 2022 2:35:12 PM To: Rob Stradling <[email protected]> Cc: Dimitris Zacharopoulos <[email protected]>; [email protected] <[email protected]> Subject: Re: Draft May 2022 CA Communication and Survey
Hi Everyone, Section 5.3.2 of the current policy states that it applies to CAs "capable of issuing working server or email certificates". We could have made it clearer that unexpired but revoked CA certificates had to be reported in the CCADB so that they can be added to OneCRL. I have opened Issue #250 in Github [1] to amend the policy to expressly mention revoked CA certificates and the exclusion of expired CA certificates. We could also possibly remove CAs capable of issuing working email certificates, but that will require more discussion during the next policy-revision cycle. Finally, the size of some name-constrained CA certificates may be too large to submit through the current CCADB interface. If that is the case, then they can be uploaded to Bugzilla as attachments to a non-incident bug. Do these suggestions work? Thanks, Ben [1] https://github.com/mozilla/pkipolicy/issues/250 On Wed, Jun 29, 2022 at 4:21 AM Rob Stradling <[email protected]<mailto:[email protected]>> wrote: Hi Ben. Are you able to provide an update yet? It would be really helpful if Mozilla's interpretation of the new disclosure requirement could be made clear before that requirement comes into force on Friday! ________________________________ From: Ben Wilson <[email protected]<mailto:[email protected]>> Sent: 24 June 2022 17:19 To: Rob Stradling <[email protected]<mailto:[email protected]>> Cc: Dimitris Zacharopoulos <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: Draft May 2022 CA Communication and Survey CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Rob and Dimitris, I think you're correct, but let me confirm and get back to you. Ben On Fri, Jun 24, 2022 at 10:10 AM 'Rob Stradling' via [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> wrote: Hi Dimitris. IIUC, you're suggesting that revocation of a Sub-CA certificate via CRL and/or OCSP is sufficient to prevent leaf certificates from "working". I understand why you might think this, but I don't think it's Mozilla's view. My understanding is that Mozilla only considers a Sub-CA certificate to be fully revoked if it's included in OneCRL (or if the "parent" Sub-CA certificate(s) is/are included in OneCRL), and that Mozilla will typically only include a Sub-CA certificate in OneCRL if it has first been disclosed to CCADB as "Revoked". AFAICT from the latest Policy, technically-constrained Sub-CA certificates and unconstrained Sub-CA certificates are now treated identically in this regard. The implication, I think, is that leaf certificates are considered by Mozilla to be "working" unless one or more Sub-CA certificates in each potential trust chain are revoked via OneCRL. Obviously I don't speak for Mozilla though. 🙂 Ben, Kathleen: Please could I ask one of you to clarify Mozilla's viewpoint on this matter? ________________________________ From: Dimitris Zacharopoulos <[email protected]<mailto:[email protected]>> Sent: 24 June 2022 13:27 To: Rob Stradling <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: Draft May 2022 CA Communication and Survey CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Rob, I believe the requirement does not include the disclosure of Revoked subCAs as they are not "technically capable of issuing working server or email certificates". Thanks, Dimitris. On 24/6/2022 3:13 μ.μ., 'Rob Stradling' via [email protected]<mailto:[email protected]> wrote: Hi. This is a friendly reminder about the recent Mozilla Root Store Policy update[1] that was communicated in ITEM 7 (Publicly Disclose Intermediate CA Certificates capable of Issuing TLS or SMIME...in the CCADB by July 1, 2022, even if they are technically constrained) of the May 2022 CA Communication and Survey. Today I've updated https://crt.sh/mozilla-disclosures<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lkaKOG%2B0qZlXR%2BdvFwXMxSUsEb3V1JKJucFmB4xBzp0%3D&reserved=0> to bring it in line with this Policy update. crt.sh currently knows of 40 technically-constrained CA certificates [2] that are "capable of issuing working server or email certificates" but that have not yet been disclosed to the CCADB. Since some of these CA certificates were issued by CAs whose response to ITEM 7 was "The CCADB already contains all our CA certificates capable of issuing working server or email certificates, including those that are technically constrained" [3], I would like to encourage CA operators to take another look at this topic to ensure that their CA is compliant by the upcoming July 1st deadline. [1] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#5-certificates:~:text=Name%2Dconstrained%20CA%20certificates%20that%20are%20technically%20capable%20of%20issuing%20working%20server%20or%20email%20certificates%20that%20were%20exempt%20from%20disclosure%20in%20previous%20versions%20of%20this%20policy%20MUST%20be%20disclosed%20in%20the%20CCADB%20prior%20to%20July%201%2C%202022.<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mozilla.org%2Fen-US%2Fabout%2Fgovernance%2Fpolicies%2Fsecurity-group%2Fcerts%2Fpolicy%2F%235-certificates%3A~%3Atext%3DName-constrained%2520CA%2520certificates%2520that%2520are%2520technically%2520capable%2520of%2520issuing%2520working%2520server%2520or%2520email%2520certificates%2520that%2520were%2520exempt%2520from%2520disclosure%2520in%2520previous%2520versions%2520of%2520this%2520policy%2520MUST%2520be%2520disclosed%2520in%2520the%2520CCADB%2520prior%2520to%2520July%25201%252C%25202022.&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KC9nmdHThSudvvA%2BxO5gf5jGhCCl6htbsRmc1YonXds%3D&reserved=0> [2] https://crt.sh/mozilla-disclosures#constrained<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures%23constrained&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sOCRipmuQxrsCKioovuGfuFOdI%2B%2FGDC7hNQlQXSL8aM%3D&reserved=0> [3] https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00175,Q00176<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fmozillacommunications%2FCACommResponsesOnlyReport%3FCommunicationId%3Da058Z000013UmsDQAS%26QuestionId%3DQ00175%2CQ00176&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Nir1Ns8Smg4NJi24OpZAxWYCzMQa79lt02ruSfC%2B7wQ%3D&reserved=0> ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]><mailto:[email protected]> on behalf of Ben Wilson <[email protected]><mailto:[email protected]> Sent: 16 May 2022 21:50 To: [email protected]<mailto:[email protected]> <[email protected]><mailto:[email protected]> Subject: Re: Draft May 2022 CA Communication and Survey CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. All, I'm going to hit "send" on the May 2022 CA Communication and Survey this afternoon. CA responses will be made available at https://wiki.mozilla.org/CA/Communications#May_2022_Responses<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.mozilla.org%2FCA%2FCommunications%23May_2022_Responses&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nnVXKYJFgMKeebikiPDHZVK11Tj%2FCHQQT9H%2FSPfMXJg%3D&reserved=0>. Thanks, Ben On Thu, May 12, 2022 at 2:43 PM Ben Wilson <[email protected]<mailto:[email protected]>> wrote: All, Please review and provide feedback on the following draft of the May 2022 CA Communication and Survey that we plan to send to CAs in the Mozilla root store: https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a058Z000013UmsDQAS<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fmozillacommunications%2FCACommunicationSurveySample%3FCACommunicationId%3Da058Z000013UmsDQAS&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZzkCUCLjQV9hD4BroLd2N9id%2F3VzTOsSBjfGtlcRv18%3D&reserved=0> Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]"<mailto:[email protected]> group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaY8Ew-JW0k%2B5bzZc-2OGZtHQOb2J-yChCYwh0DDic59%3Dw%40mail.gmail.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCA%252B1gtaY8Ew-JW0k%252B5bzZc-2OGZtHQOb2J-yChCYwh0DDic59%253Dw%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=G4Jhgx058oANxvbilWbg5leulBIaBqIVWawPv%2FclWx8%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]"<mailto:[email protected]> group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729D9ABE96ABF0BD80990C6AAB49%40MW4PR17MB4729.namprd17.prod.outlook.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FMW4PR17MB4729D9ABE96ABF0BD80990C6AAB49%2540MW4PR17MB4729.namprd17.prod.outlook.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ViYwp9RUoReMSGzeCu2y7DPj8spVUka7nfHKlRhpLs0%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]<mailto:[email protected]>" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47299ECF1CC5C8E7C98431E3AAB49%40MW4PR17MB4729.namprd17.prod.outlook.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FMW4PR17MB47299ECF1CC5C8E7C98431E3AAB49%2540MW4PR17MB4729.namprd17.prod.outlook.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zcM%2Bwx34xDu1DS268L1ye4p4ADudAxJ1ZIbgn8kc7Bk%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabRUYuscZiz9Sp1X%3DQdY0tj606U_--gtdm6NPvGHhny0Q%40mail.gmail.com<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabRUYuscZiz9Sp1X%3DQdY0tj606U_--gtdm6NPvGHhny0Q%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/BYAPR14MB2600D93C1DCCAB8E94DC39848EBB9%40BYAPR14MB2600.namprd14.prod.outlook.com.
