On Thu, Dec 3, 2015 at 11:17 AM, Kathleen Wilson <kwil...@mozilla.com> wrote: > On 12/3/15 11:04 AM, Peter Bowen wrote: >> >> On Thu, Dec 3, 2015 at 10:31 AM, Kathleen Wilson <kwil...@mozilla.com> >> wrote: >>>> >>>> On 23/11/15 15:57, Peter Bowen wrote: >>>>> >>>>> >>>>> I realize that Mozilla carved out allowance for not disclosing, but >>>>> the CA/Browser Forum did not adopt this, instead only exempting >>>>> technically constrained CAs from the audit requirement. Maybe this is >>>>> a place where the Mozilla policy can aligned with the BRs. >>>> >>>> >>>> >>> >>> >>> Are you referring to section 3.2.6 of the BRs? >>> ~~ >>> 3.2.6. Criteria for Interoperation or Certification >>> The CA SHALL disclose all Cross Certificates that identify the CA as the >>> Subject, provided that the CA arranged >>> for or accepted the establishment of the trust relationship (i.e. the >>> Cross >>> Certificate at issue). >>> ~~ >>> >>> Or were you referring to something else? >>> >>> From BR Definitions: >>> Cross Certificate: A certificate that is used to establish a trust >>> relationship between two Root CAs. >>> Root CA: The top level Certification Authority whose Root Certificate is >>> distributed by Application Software >>> Suppliers and that issues Subordinate CA Certificates. >> >> >> I was but forgot that the definition of cross certificate in the BRs >> is different from the X.509 definition. > > > > So, the BRs do not mention disclosure of any intermediate certificates other > than cross-signing relationships between root certs included in the major > root stores. So, on this particular topic we do not want to align Mozilla > policy with the BRs. Correct?
Agreed. However it does raise the question of whether the Mozilla policy should be: 1) All certificates with CA:TRUE must be disclosed or 2) All certificates with CA:TRUE must be disclosed except: - certificates that meet the technically constrained definition - certificates where the issuer is not required to be disclosed due to the previous line or 3) All certificates with CA:TRUE must be disclosed except certificates where the Issuing CA is technically constrained Option #3 would require disclosing the technically constrained certificate but nothing further down the graph. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy