Peter, I think I get what you're saying about this being a different category of cross-sign, but could you spell out explicitly how this differs from e.g. the Identrust cross-sign issue that Richard linked to?
-- Eric On Thu, Jun 23, 2016 at 4:39 PM, Ben Wilson <ben.wil...@digicert.com> wrote: > That's correct. > > -----Original Message----- > From: Peter Bowen [mailto:pzbo...@gmail.com] > Sent: Thursday, June 23, 2016 2:39 PM > To: Ben Wilson <ben.wil...@digicert.com> > Cc: Eric Mill <e...@konklone.com>; Kurt Roeckx <k...@roeckx.be>; Richard > Barnes <rbar...@mozilla.com>; Jeremy Rowley <jeremy.row...@digicert.com>; > Steve <steve.me...@gmail.com>; > mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson < > kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com> > Subject: Re: Intermediate certificate disclosure deadline in 2 weeks > > On Thu, Jun 23, 2016 at 11:45 AM, Ben Wilson <ben.wil...@digicert.com> > wrote: > > Another issue that needs to be resolved involves the Federal Bridge > > CA 2013 (“Federal Bridge”). When a publicly trusted sub CA > > cross-certifies the Federal Bridge, then all of the CAs cross-certified > by the Federal Bridge > > are trusted. The chart (https://crt.sh/mozilla-disclosures) then > captures > > all “non-publicly-trusted” sub CAs. For instance, the following CAs > > are now caught up in the database, but there is no way to input them > > (or CAs subordinate to them) into Salesforce because only the CA that > > cross-certified the Federal Bridge has access to that certificate > > chain in Salesforce. In otherwords, I don’t have access to input the > > DigiCert Federated ID CA-1 or its sub CAs. > > Ben, > > Correct me if I'm wrong, but the DigiCert CA you mention is part of a > different PKI from the DigiCert public roots in Mozilla, right? The only > reason that it is showing in the list is because a non-DigiCert CA > cross-signed the Federal PKI and the Federal PKI cross-signed the DigiCert > CA in question, correct? > > Thanks, > Peter > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy