Re: Disclosure of intermediates that chain to multiple roots

On Friday, May 20, 2016 at 2:39:20 AM UTC-7, Rob Stradling wrote: > On 19/05/16 21:48, Kathleen Wilson wrote: > > On Monday, May 16, 2016 at 1:33:40 PM UTC-7, Rob Stradling wrote: > >> However, ISTM that a "proposed change currently in discussion" is less > >> authoritative than the CA

Re: Disclosure of intermediates that chain to multiple roots

On 19/05/16 21:48, Kathleen Wilson wrote: On Monday, May 16, 2016 at 1:33:40 PM UTC-7, Rob Stradling wrote: However, ISTM that a "proposed change currently in discussion" is less authoritative than the CA Communication (which, as I've said, seems to explicitly require multiple disclosures of

Re: Disclosure of intermediates that chain to multiple roots

On Monday, May 16, 2016 at 1:33:40 PM UTC-7, Rob Stradling wrote: > However, ISTM that a "proposed change currently in discussion" is less > authoritative than the CA Communication (which, as I've said, seems to > explicitly require multiple disclosures of the same intermediate when > multiple

Re: Disclosure of intermediates that chain to multiple roots

On 13/05/16 22:09, Richard Barnes wrote: Thanks for explaining the specifics, Rob. To restate and check my understanding, this is a "Y-shaped" scenario, with the following CAs (by CN): (1) AddTrust External CA Root (included, owned by Comodo) (2) UTN-USERFirst-Hardware (included, owned by

Re: Disclosure of intermediates that chain to multiple roots

On Fri, May 13, 2016 at 10:48 PM, Nick Lamb wrote: > On Friday, 13 May 2016 21:02:25 UTC+1, Rob Stradling wrote: > > If it were up to me, I would... > >1. Require https://crt.sh/?id=1790 to be disclosed precisely once, by > > Web.com, because the chain up to Web.com's

Re: Disclosure of intermediates that chain to multiple roots

On Friday, 13 May 2016 21:02:25 UTC+1, Rob Stradling wrote: > If it were up to me, I would... >1. Require https://crt.sh/?id=1790 to be disclosed precisely once, by > Web.com, because the chain up to Web.com's Built-in Root is the shortest > chain. >2. Hold both Web.com and Comodo

Re: Disclosure of intermediates that chain to multiple roots

On 13/05/16 19:59, Richard Barnes wrote: IIUC, that last sentence is saying that multiple disclosures are required (one disclosure per root to which the intermediate chains). Have I misread it? No, I agree with you. If two certs have different issuers, they're different certs, so

Re: Disclosure of intermediates that chain to multiple roots

On Fri, May 13, 2016 at 3:28 PM, Kurt Roeckx wrote: > On 2016-05-13 14:41, Richard Barnes wrote: > >> IIRC, the disclosure requirement is in terms of certificates, and the >> disclosure responsibility is on the issuing CA. So you would have one >> disclosure per certificate, and

Disclosure of intermediates that chain to multiple roots

Kathleen, Some NSS built-in roots are cross-certified by other built-in roots. When an intermediate cert chains to multiple roots, does it need to be disclosed multiple times (once for each root)? Or, if it only needs to be disclosed once, then how should we determine which CA is