Re: A new US government CA for the web PKI
On Fri, Mar 3, 2017 at 6:25 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 02/03/17 20:45, Eric Mill wrote: > > Our goal is to start a new root and set of issuing CAs that is completely > > disconnected and separate from the existing Federal PKI bridge network > that > > members of the web PKI community may be familiar with. > > Are you able to say whether you will be seeking a cross-sign from an > existing publicly-trusted cert to bootstrap your ubiquity? > That's definitely being considered, as it would be an obvious way to accelerate the utility of a new CA intended for public trust. > I note that some chap called Eric commented a couple of years ago that > newly-added certificates would take a long time to be well enough > distributed for USG websites to rely on them: > https://bugzilla.mozilla.org/show_bug.cgi?id=478418#c70 > :-) > Seems like a reasonable guy... > > government operated devices, and so we welcome appropriately narrow name > > constraints that reflect that. > > Will you be encoding these constraints in your roots and/or > intermediates, or will you be requesting that people shipping your roots > impose them externally? > > If you are considering putting them in the roots, you may want to talk > to HARICA, who attempted this and (I believe) ran into one or two issues. > That's the exact kind of question for which we could really use community input. We do have a general discussion thread open, with GSA and DoD staff contributing, to discuss the breadth of the constraints and potential implementation issues: https://github.com/uspki/policies/issues/12 I know I definitely don't have a complete understanding of client support and failure modes for in-certificate constraints in today's ecosystem. Breadth of enforcement is a factor, and so is breadth of support and reliability. > > > Since we’re not yet an applicant, this forum may not be the best place > for > > an extended discussion (though we’re happy to engage in discussion here > if > > people would like) > > This forum hosts general WebPKI discussion; you are welcome to keep us > updated on your progress. > Thank you! -- Eric > > Gerv > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- Eric Mill Senior Advisor, Technology Transformation Service, GSA eric.m...@gsa.gov, +1-617-314-0966 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: A new US government CA for the web PKI
On 02/03/17 20:45, Eric Mill wrote: > Our goal is to start a new root and set of issuing CAs that is completely > disconnected and separate from the existing Federal PKI bridge network that > members of the web PKI community may be familiar with. Are you able to say whether you will be seeking a cross-sign from an existing publicly-trusted cert to bootstrap your ubiquity? I note that some chap called Eric commented a couple of years ago that newly-added certificates would take a long time to be well enough distributed for USG websites to rely on them: https://bugzilla.mozilla.org/show_bug.cgi?id=478418#c70 :-) > government operated devices, and so we welcome appropriately narrow name > constraints that reflect that. Will you be encoding these constraints in your roots and/or intermediates, or will you be requesting that people shipping your roots impose them externally? If you are considering putting them in the roots, you may want to talk to HARICA, who attempted this and (I believe) ran into one or two issues. > Since we’re not yet an applicant, this forum may not be the best place for > an extended discussion (though we’re happy to engage in discussion here if > people would like) This forum hosts general WebPKI discussion; you are welcome to keep us updated on your progress. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
A new US government CA for the web PKI
Hi all, Though we’re not at the point of filing an application for Mozilla’s root program, I wanted to share with this community the beginnings of an effort by the US government to start a new PKI intended for publicly trusted certificates. This effort is being led by the General Services Administration and the Department of Defense. Our goal is to start a new root and set of issuing CAs that is completely disconnected and separate from the existing Federal PKI bridge network that members of the web PKI community may be familiar with. The existing Federal PKI is used to issue many kinds of certificates, including those used for enterprise devices and for government personal identity verification (PIV). This new hierarchy would focus only on certificates intended for devices on the internet, rather than people, and their operation and policies are intended to adhere strictly to web PKI requirements, as expressed through the CA/Browser Forum’s Baseline Requirements and those of various root programs. In addition, this hierarchy is intended only to serve US government operated devices, and so we welcome appropriately narrow name constraints that reflect that. . While we’re still in the early stages, we are working on the root policy documents -- including a CP, CPS, and various certificate profiles -- in public on GitHub: https://github.com/uspki/policies One additional thing I’d like to mention is that we’re fully in support of the goals of Certificate Transparency. This project was initiated prior to Chrome announcing its October 2017 CT requirement, and our intent from the beginning has been to log 100% of issued certificates, with no special need for redaction. As part of this, we are evaluating the possibility of creating a new CT log that can issue SCTs considered valid by browsers for policy enforcement. We generally intend the issuing CAs to support automated certificate issuance, which includes evaluating existing standard protocols. In general, we expect to use and support open standards and open source tools where they support the effort. Since we’re not yet an applicant, this forum may not be the best place for an extended discussion (though we’re happy to engage in discussion here if people would like), but we’re actively seeking public participation and input during the process -- issues and pull requests to the GitHub repository above are quite welcome, and we’ll create additional repos as we go for other parts of the project. As we make progress, we hope to contribute positively to the web PKI and CT ecosystem, and we plan to be engaging publicly with the community here and other places along the way. -- Eric (P.S. This is my first email to the list from my work .gov address, so I'll just quick note that that means I'm speaking in my work capacity. Emails that are not from my work address are not speaking in my work capacity.) -- Eric Mill Senior Advisor, Technology Transformation Service, GSA eric.m...@gsa.gov, +1-617-314-0966 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy