On 20/06/16 18:58, Peter Bowen wrote:
On Fri, Jun 17, 2016 at 4:12 AM, Rob Stradling <rob.stradl...@comodo.com> wrote:
Friendly reminder to all CA representatives:
Don't forget the June 30th deadline! And don't leave it until the last
minute if you have lots of intermediate certificates to disclose!
https://crt.sh/mozilla-disclosures
...lists (under "Unconstrained id-kp-serverAuth Trust: Disclosure is
required!") the (many!) qualifying intermediate certificates that are known
to CT and that have not yet been disclosed to Salesforce.
I found one bug in this list -- it is including self-signed
certificates, which are not subject to disclosure, as they clearly
don't chain back to a root in the Mozilla trust store.
If a CA key/DN has been cross-certified by a root in the Mozilla root
store, then I'd say that a self-signed cert for that CA key/DN does
chain back to a root in the Mozilla trust store. (The Issuer field in
the self-signed cert matches the Subject field in the trusted root cert,
and the signature on the self-signed cert can be verified by the public
key in the trusted root cert).
Of course it would be rather pointless to include a self-signed cert in
the middle of a trusted chain, but it would still be a chain.
Thanks,
Peter
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
