Agreed. This part of the Mozilla requirement -- to report previously unreported revoked and technically constrained CA certificates in the CCADB -- can be postponed until we release an update to the current policy.
However, CA operators should still be aware of Section 4 of the CCADB Policy [1]: An intermediate certificate is a certificate capable of issuing new certificates that is not a root certificate. To determine which intermediate certificates must be entered into the CCADB, refer to the individual Store policy documents. This includes certificates that are revoked. For newly-created intermediate certificates, this must happen before the certificate begins issuing publicly-trusted certificates. ... If an intermediate certificate is revoked, the CCADB must be updated to mark it as revoked, giving the reason why, within 24 hours for a security incident, and within 7 days for any other reason. And also Apple's policy [2]: Effective April 1, 2022, CA providers must disclose in the CCADB all CA certificates which chain up to their CA Certificate(s) included in the Apple Root Program. Thanks, Ben [1] https://www.ccadb.org/policy#4-intermediate-certificates [2] https://www.apple.com/certificateauthority/ca_program.html On Thu, Jun 30, 2022 at 9:25 AM Jeremy Rowley <[email protected]> wrote: > One other note Ben is that section 1.1 puts revoked ICAs outside of the > policy. There probably should be a community discussion and review before > this policy changes > > > > 1.1 Scope > > This policy applies, as appropriate, to certificates matching any of the > following (and to the CA operators* that control or issue them): > > 1. CA certificates included in, or under consideration for inclusion > in, the Mozilla root store; > > 2. *intermediate certificates that have at least one valid, unrevoked > chain* up to such a CA certificate and that are technically capable of > issuing working server or email certificates. Intermediate certificates > that are not considered to be technically capable will contain either: > > Given this is now bringing all revoked intermediates into scope, would > this be better set for a 2.8.1 update to change the scope language? > > > > Jeremy > > > > *From:* [email protected] <[email protected]> *On > Behalf Of *Ben Wilson > *Sent:* Wednesday, June 29, 2022 2:35 PM > *To:* Rob Stradling <[email protected]> > *Cc:* Dimitris Zacharopoulos <[email protected]>; [email protected] > <[email protected]> > *Subject:* Re: Draft May 2022 CA Communication and Survey > > > > Hi Everyone, > > > > Section 5.3.2 of the current policy states that it applies to CAs "capable > of issuing working server or email certificates". We could have made it > clearer that unexpired but revoked CA certificates had to be reported in > the CCADB so that they can be added to OneCRL. I have opened Issue #250 in > Github [1] to amend the policy to expressly mention revoked CA certificates > and the exclusion of expired CA certificates. We could also possibly remove > CAs capable of issuing working email certificates, but that will require > more discussion during the next policy-revision cycle. Finally, the size of > some name-constrained CA certificates may be too large to submit through > the current CCADB interface. If that is the case, then they can be uploaded > to Bugzilla as attachments to a non-incident bug. > > Do these suggestions work? > > Thanks, > > Ben > > > > [1] https://github.com/mozilla/pkipolicy/issues/250 > > > > On Wed, Jun 29, 2022 at 4:21 AM Rob Stradling <[email protected]> wrote: > > Hi Ben. Are you able to provide an update yet? It would be really > helpful if Mozilla's interpretation of the new disclosure requirement could > be made clear before that requirement comes into force on Friday! > > > ------------------------------ > > *From:* Ben Wilson <[email protected]> > *Sent:* 24 June 2022 17:19 > *To:* Rob Stradling <[email protected]> > *Cc:* Dimitris Zacharopoulos <[email protected]>; [email protected] > <[email protected]> > *Subject:* Re: Draft May 2022 CA Communication and Survey > > > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > > > Hi Rob and Dimitris, > > I think you're correct, but let me confirm and get back to you. > > Ben > > > > > > On Fri, Jun 24, 2022 at 10:10 AM 'Rob Stradling' via > [email protected] <[email protected]> wrote: > > Hi Dimitris. IIUC, you're suggesting that revocation of a Sub-CA > certificate via CRL and/or OCSP is sufficient to prevent leaf certificates > from "working". I understand why you might think this, but I don't think > it's Mozilla's view. > > > > My understanding is that Mozilla only considers a Sub-CA certificate to be > fully revoked if it's included in OneCRL (or if the "parent" Sub-CA > certificate(s) is/are included in OneCRL), and that Mozilla will typically > only include a Sub-CA certificate in OneCRL if it has first been disclosed > to CCADB as "Revoked". AFAICT from the latest Policy, > technically-constrained Sub-CA certificates and unconstrained Sub-CA > certificates are now treated identically in this regard. The implication, > I think, is that leaf certificates are considered by Mozilla to be > "working" unless one or more Sub-CA certificates in each potential trust > chain are revoked via OneCRL. > > > > Obviously I don't speak for Mozilla though. 🙂 > > > > Ben, Kathleen: Please could I ask one of you to clarify Mozilla's > viewpoint on this matter? > ------------------------------ > > *From:* Dimitris Zacharopoulos <[email protected]> > *Sent:* 24 June 2022 13:27 > *To:* Rob Stradling <[email protected]>; [email protected] < > [email protected]> > *Subject:* Re: Draft May 2022 CA Communication and Survey > > > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > > > Hi Rob, > > I believe the requirement does not include the disclosure of Revoked > subCAs as they are not *"technically capable of issuing working server or > email certificates"*. > > > Thanks, > Dimitris. > > On 24/6/2022 3:13 μ.μ., 'Rob Stradling' via > [email protected] wrote: > > Hi. This is a friendly reminder about the recent Mozilla Root Store > Policy update[1] that was communicated in ITEM 7 *(Publicly Disclose > Intermediate CA Certificates capable of Issuing TLS or SMIME...in the CCADB > by July 1, 2022, even if they are technically constrained)* of the May > 2022 CA Communication and Survey. > > > > Today I've updated https://crt.sh/mozilla-disclosures > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lkaKOG%2B0qZlXR%2BdvFwXMxSUsEb3V1JKJucFmB4xBzp0%3D&reserved=0> > to > bring it in line with this Policy update. > > > > crt.sh currently knows of 40 technically-constrained CA certificates [2] > that are *"capable of issuing working server or email certificates"* but > that have not yet been disclosed to the CCADB. Since some of these CA > certificates were issued by CAs whose response to ITEM 7 was *"The CCADB > already contains all our CA certificates capable of issuing working server > or email certificates, including those that are technically constrained"* [3], > I would like to encourage CA operators to take another look at this topic > to ensure that their CA is compliant by the upcoming July 1st deadline. > > > > > > [1] > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#5-certificates:~:text=Name%2Dconstrained%20CA%20certificates%20that%20are%20technically%20capable%20of%20issuing%20working%20server%20or%20email%20certificates%20that%20were%20exempt%20from%20disclosure%20in%20previous%20versions%20of%20this%20policy%20MUST%20be%20disclosed%20in%20the%20CCADB%20prior%20to%20July%201%2C%202022. > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mozilla.org%2Fen-US%2Fabout%2Fgovernance%2Fpolicies%2Fsecurity-group%2Fcerts%2Fpolicy%2F%235-certificates%3A~%3Atext%3DName-constrained%2520CA%2520certificates%2520that%2520are%2520technically%2520capable%2520of%2520issuing%2520working%2520server%2520or%2520email%2520certificates%2520that%2520were%2520exempt%2520from%2520disclosure%2520in%2520previous%2520versions%2520of%2520this%2520policy%2520MUST%2520be%2520disclosed%2520in%2520the%2520CCADB%2520prior%2520to%2520July%25201%252C%25202022.&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KC9nmdHThSudvvA%2BxO5gf5jGhCCl6htbsRmc1YonXds%3D&reserved=0> > > > > [2] https://crt.sh/mozilla-disclosures#constrained > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures%23constrained&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sOCRipmuQxrsCKioovuGfuFOdI%2B%2FGDC7hNQlQXSL8aM%3D&reserved=0> > > > > [3] > https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a058Z000013UmsDQAS&QuestionId=Q00175,Q00176 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fmozillacommunications%2FCACommResponsesOnlyReport%3FCommunicationId%3Da058Z000013UmsDQAS%26QuestionId%3DQ00175%2CQ00176&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Nir1Ns8Smg4NJi24OpZAxWYCzMQa79lt02ruSfC%2B7wQ%3D&reserved=0> > > > ------------------------------ > > *From:* [email protected] <[email protected]> > <[email protected]> on behalf of Ben Wilson > <[email protected]> <[email protected]> > *Sent:* 16 May 2022 21:50 > *To:* [email protected] <[email protected]> > <[email protected]> > *Subject:* Re: Draft May 2022 CA Communication and Survey > > > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > > > All, > > I'm going to hit "send" on the May 2022 CA Communication and Survey this > afternoon. CA responses will be made available at > https://wiki.mozilla.org/CA/Communications#May_2022_Responses > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.mozilla.org%2FCA%2FCommunications%23May_2022_Responses&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nnVXKYJFgMKeebikiPDHZVK11Tj%2FCHQQT9H%2FSPfMXJg%3D&reserved=0> > . > > Thanks, > > Ben > > > > On Thu, May 12, 2022 at 2:43 PM Ben Wilson <[email protected]> wrote: > > All, > > > > Please review and provide feedback on the following draft of the May 2022 > CA Communication and Survey that we plan to send to CAs in the Mozilla root > store: > > > https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a058Z000013UmsDQAS > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fmozillacommunications%2FCACommunicationSurveySample%3FCACommunicationId%3Da058Z000013UmsDQAS&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZzkCUCLjQV9hD4BroLd2N9id%2F3VzTOsSBjfGtlcRv18%3D&reserved=0> > > > > Thanks, > > Ben > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" <[email protected]> group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaY8Ew-JW0k%2B5bzZc-2OGZtHQOb2J-yChCYwh0DDic59%3Dw%40mail.gmail.com > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCA%252B1gtaY8Ew-JW0k%252B5bzZc-2OGZtHQOb2J-yChCYwh0DDic59%253Dw%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=G4Jhgx058oANxvbilWbg5leulBIaBqIVWawPv%2FclWx8%3D&reserved=0> > . > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" <[email protected]> group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729D9ABE96ABF0BD80990C6AAB49%40MW4PR17MB4729.namprd17.prod.outlook.com > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FMW4PR17MB4729D9ABE96ABF0BD80990C6AAB49%2540MW4PR17MB4729.namprd17.prod.outlook.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ViYwp9RUoReMSGzeCu2y7DPj8spVUka7nfHKlRhpLs0%3D&reserved=0> > . > > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47299ECF1CC5C8E7C98431E3AAB49%40MW4PR17MB4729.namprd17.prod.outlook.com > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FMW4PR17MB47299ECF1CC5C8E7C98431E3AAB49%2540MW4PR17MB4729.namprd17.prod.outlook.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C7d885800033c4ce6121208da55fd4fa4%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637916843712080305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zcM%2Bwx34xDu1DS268L1ye4p4ADudAxJ1ZIbgn8kc7Bk%3D&reserved=0> > . > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabRUYuscZiz9Sp1X%3DQdY0tj606U_--gtdm6NPvGHhny0Q%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabRUYuscZiz9Sp1X%3DQdY0tj606U_--gtdm6NPvGHhny0Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaRDSvTMA9aKOQJ_NDUDH91vPySnFTE42gRFj2D1JxQpg%40mail.gmail.com.
