On 13/05/16 22:09, Richard Barnes wrote:
<snip>
Thanks for explaining the specifics, Rob. To restate and check my
understanding, this is a "Y-shaped" scenario, with the following CAs (by
CN):
(1) AddTrust External CA Root (included, owned by Comodo)
(2) UTN-USERFirst-Hardware (included, owned by Comodo)
(3) Network Solutions Certificate Authority (included, owned by Web.com)
(4) Network Solutions EV Server CA
... and the following certificates (in graphviz notation):
digraph {
1 -> 3;
2 -> 3;
3 -> 3;
3 -> 4;
}
And the question is who needs to disclose the (3->4) certificate.
Yes, that's my question.
FWIW Rob has exactly specified what I, as a relying party, would want
Mozilla to do on my behalf although I would interpolate ("... and audited")
each time he mentions disclosure.
This seems like a pretty sensible policy to me. One could consider it as
parallel to a hypothetical non-cross-signed scenario where the root relies
on the intermediate to disclose its subtree, then the root discloses the
intermediate.
I agree with him that the current policy does not clearly state this.
The current policy has the blessing / curse of using the passive voice
("...MUST either be technically constrained or be publicly disclosed and
audited."), which obscures which agent must do the disclosing. But that
also means (ISTM) that Rob's suggested resolution is consistent with the
policy. As long as the subordinate below the cross-signed intermediate is
disclosed, it doesn't matter who disclosed it; but if it's not, then all
the cross-signers are out of compliance.
I agree that my suggested resolution is consistent with the Mozilla CA
Policy.
However, it seems to be inconsistent with what Mozilla's recent CA
Communication requires CAs to do by the end of June (emphasis mine):
"ACTION #2: Beginning with Version 2.1 of Mozilla's CA Certificate
Policy, for any certificate which directly or transitively chains to the
root certificates you currently have included in Mozilla's CA
Certificate Program, which are capable of being used to issue new
certificates, and which are not technically constrained as described in
Section 9 of Mozilla's CA Certificate Inclusion Policy, *you are
required* to provide public-facing documentation about the certificate
verification requirements and annual public attestation of conformance
to said requirements. *This includes certificates owned by, operated by,
or issued by third parties, whether or not those issuing certificates
are already part of Mozilla's CA Certificate Program, if they have been
cross-signed by a certificate that directly or transitively chains to
your root certificate.*
To facilitate this public disclosure, Mozilla is requiring that these
certificates, as well as their CP/CPS and audit statements, be entered
into Mozilla's CA Community in Salesforce."
I see that Kathleen has added the following text to
https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Proposed_Changes_Currently_in_Discussion
"Update transitive disclosure policy to reduce duplication of full CA
hierarchies
Update section 8 of Mozilla's CA Certificate Inclusion policy to say
that transitive disclosure is not required when the subject of the
CA-certificate is also the subject of a certificate included directly in
the Mozilla trust store."
However, ISTM that a "proposed change currently in discussion" is less
authoritative than the CA Communication (which, as I've said, seems to
explicitly require multiple disclosures of the same intermediate when
multiple trust paths exist).
Assuming everyone's happy with my suggested resolution, please would you
update the requirements for "ACTION #2" before the end of June (the
earlier the better!) so that multiple disclosures are not required?
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy