On Tue, February 18, 2014 5:28 am, Ruy Ramos wrote: > On 02/15/2014 04:42 PM, David E. Ross wrote: > > I noticed in the open bug reports for adding new root certificates that > > several national certification authorities are actually acting as super > > CAs without complete accountability for the operations of their > > subsidiary CAs. Is the plan to eventually include the roots of the > > super CAs in the NSS database? Or will only the roots of the subsidiary > > CAs be included, after the usual Mozilla review process? How will this > > be decided? > > > > See: > > <https://bugzilla.mozilla.org/show_bug.cgi?id=335197> > > <https://bugzilla.mozilla.org/show_bug.cgi?id=438825> > > <https://bugzilla.mozilla.org/show_bug.cgi?id=557167> > > > The brazilian root CA for ICP-Brasil has complete accountability for the > operations of its subsidiary CAs. That is achieved by annual audit > procedures take into effect by ITI, the federal agency that plays the > role of Root CA of ICP-Brasil. So, in our opinion, it doesn't make any > sense to include only the subsidiary CAs certificates, cause the trusted > chain won't be correctly achieved without the check against the root > certificates of ICP-Brasil root CA (the ITI's certificates). So, in our > case, we would like very much to see the root certificates of the so > called super CA (ITI root certificates) included in the NSS database. > Otherwise, it won't work for the brazilian applications > > Ruy Ramos > ITI > --
Can you please explain what you mean by "the trusted chain won't be correctly achieved"? Trust anchors do not need to be root certificates. So why, specifically and technically, does the ICP-Brasil root need to be included? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
