On Fri, Oct 14, 2022 at 8:40 PM Ben Wilson <[email protected]> wrote:
> All,
> I'm wordsmithing item 7 under MRSP section 3.3. Draft language is: "7.
> Effective December 31, 2022, CA operators SHALL maintain links in their
> online repositories to all reasonably available historic versions of CPs and
> CPSes (or CP/CPSes) from the creation of included CAs, regardless of changes
> in ownership or control of such CAs, until the entire CA certificate
> hierarchies (i.e. end entity certificates, intermediate CA certificates, and
> cross-certificates) operated in accordance with such documents are no longer
> trusted by the Mozilla root store."
I've had this thought before, but how does this hierarchy qualifier work?
I can think of a cross-signing chain in which a root cross-signs a
replacement root, which then has their own cross-signed replacement,
etc., resulting in a hierarchy of certificates of which the initial
root has long expired but newer roots (and leaf certificates) still
are trusted.
For example:
Root R1,expired
^- X-signed R2, R2 is in root store
^- X-signed R3, trust from R2
^- Intermediate CA, trust from R2 through R3, technically in
hierarchy of R2 and R1.
^- Leaf Certificate
The hierarchy of R1 still is partially trusted, but it itself is not
trusted anymore. Would the CA operator need to retain the CP/CPSes for
that R1?
Wouldn't a qualifier for "valid certificate paths" be useful here to
exclude expired and/or revoked (cross) CAs from the hierarchy?
Kind regards,
Matthias van de Meent
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAAT_OQvkTp-Ax7VoDd44wxPqX-oaeD0-r5THMRR5OpFa7WT_fQ%40mail.gmail.com.
