* Florian Weimer: > * Kai Engert: > >> The discovery of any unconstrained and unrevoked intermediate CA >> certificate that isn't controlled by the root CA organization results in >> the immediate removal of the root CA from the Mozilla CA list. > > In this case, wouldn't this require the removal of the Entrust root, > not just the CNNIC root? Or wasn't the CNNIC SSL sub-CA certificate > extended beyond 2012?
According to the CNNIC CPS, the sub-CA certificate still exists: “According to the agreement of CNNIC and Entrust, CNNIC intermediate root CNNIC SSL is trusted by Entrust root certificate also. The domain certificates issued by CNNIC Trusted Network Service Center may be generated through different route either by CNNIC root or by Entrust root.” Certificate Practice Statement of the Trusted Network Service Center of the China Internet Network Information Center (CNNIC) Version No.: 3.03 Validity from July 1st, 2013 <http://www1.cnnic.cn/IS/fwqzs/CNNICfwqzsywgz/201208/W020130929345948738150.pdf> However, Entrust does not list the sub-CA certificate here: <http://www.entrust.net/about/third-party-sub-ca.htm> As far as I can see, there are several explanations for that: * It was omitted by accident. * The CNNIC root was signed (although only signatures on the intermediate CNNIC SSL CA certificate have been documented so far, I think). * Entrust assumes that once an organization has a root in the Mozilla program, any sub-CAs controlled by that organization is exempted from disclosure. * The CNNIC CPS is incorrect, and they no longer run an Entrust-sponsored sub-CA. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy