On 15 Nov 2022 at 00:33 Ben Wilson <[email protected]> wrote: > This discussion thread relates to the GitHub Mozilla PKI Policy Issue #249. > > Here are the currently proposed changes to item 7 of Mozilla Root Store > Policy (MRSP) section 3.3: > > Effective December 31, 2022, CA operators SHALL maintain links in their > online repositories to all reasonably available historic older versions of > each CPs and CPSes (or CP/CPSes) from the creation of included CAs, > regardless of changes in ownership or control of such the root CAs, until the > entire root CA certificate hierarchiesy (i.e. end entity certificates, > intermediate CA certificates, and cross-certificates) operated in accordance > with such documents are is no longer trusted by the Mozilla root store.
I'm having trouble grasping when a CA may stop maintaining those links. As I asked earlier in [0], when is the CA certificate hierarchy of such documents no longer considered trusted by the Mozilla Root Store? It seems to me that the usage of cross-certificates would make it highly unlikely for a whole hierarchy to become no longer trusted, because cross-certificates for replacement roots are fairly common and each of those grows the hierarchy of a CA and delays the expiration of the whole hierarchy by the replacement root's lifetime. As example: Root R1,expired . ^- X-signed R2, R2 is in root store . . ^- X-signed R3, trust from R2 . . . ^- Intermediate ICA1, trusted from R2 through R3, technically in the hierarchy of both R2 and R1. . . . . ^- Leaf Certificate Can the CPs, CPSs and CP/CPSs that cover R1 before R2 was created be deleted? Or those that cover R1 before R3 was created? ICA1 is trusted, as is the Leaf Certificate, and the certificates are part of the hierarchy of R3, which is part of R2's, which is part of R1's, right? Then isn't Leaf Certificate also part of R1's hierarchy, thus requiring CAs to maintain the documents forever, or start a new root without cross-certificates to any old roots? Kind regards, Matthias van de Meent [0] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/JnNgyxhBiZo/m/r54RxJhLAgAJ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAAT_OQsWkpKGSe_4-txdJdt2gxpceY1oQ5eO3xbJO8gU0TqhSA%40mail.gmail.com.
