Hi Matthias, Before I answer the questions, I think example dates need to be associated with the events in the example cited below. Thanks, Ben
On Thu, Nov 17, 2022 at 4:40 PM Matthias van de Meent <[email protected]> wrote: > On 15 Nov 2022 at 00:33 Ben Wilson <[email protected]> wrote: > > This discussion thread relates to the GitHub Mozilla PKI Policy Issue > #249. > > > > Here are the currently proposed changes to item 7 of Mozilla Root Store > Policy (MRSP) section 3.3: > > > > Effective December 31, 2022, CA operators SHALL maintain links in their > online repositories to all reasonably available historic older versions of > each CPs and CPSes (or CP/CPSes) from the creation of included CAs, > regardless of changes in ownership or control of such the root CAs, until > the entire root CA certificate hierarchiesy (i.e. end entity certificates, > intermediate CA certificates, and cross-certificates) operated in > accordance with such documents are is no longer trusted by the Mozilla root > store. > > I'm having trouble grasping when a CA may stop maintaining those > links. As I asked earlier in [0], when is the CA certificate hierarchy > of such documents no longer considered trusted by the Mozilla Root > Store? > > It seems to me that the usage of cross-certificates would make it > highly unlikely for a whole hierarchy to become no longer trusted, > because cross-certificates for replacement roots are fairly common and > each of those grows the hierarchy of a CA and delays the expiration of > the whole hierarchy by the replacement root's lifetime. > > As example: > > Root R1,expired > . ^- X-signed R2, R2 is in root store > . . ^- X-signed R3, trust from R2 > . . . ^- Intermediate ICA1, trusted from R2 through R3, technically in > the hierarchy of both R2 and R1. > . . . . ^- Leaf Certificate > > Can the CPs, CPSs and CP/CPSs that cover R1 before R2 was created be > deleted? Or those that cover R1 before R3 was created? > ICA1 is trusted, as is the Leaf Certificate, and the certificates are > part of the hierarchy of R3, which is part of R2's, which is part of > R1's, right? Then isn't Leaf Certificate also part of R1's hierarchy, > thus requiring CAs to maintain the documents forever, or start a new > root without cross-certificates to any old roots? > > Kind regards, > > Matthias van de Meent > > [0] > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/JnNgyxhBiZo/m/r54RxJhLAgAJ > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaafzPaJu3jP6dBUojjCNBWGyf09BzYFg%3D5SOU62LhPv9w%40mail.gmail.com.
