Fed Root (not trusted) signs DigiCert Fed CA (not trusted) A third CA (trusted) signs Fed Root (now trusted)
DigiCert Fed CA all of a sudden trusted but not through DigiCert. This CA now shows up on the list although it wasn’t DigiCert who signed it. From: Eric Mill [mailto:e...@konklone.com] Sent: Thursday, June 23, 2016 2:41 PM To: Ben Wilson <ben.wil...@digicert.com> Cc: Peter Bowen <pzbo...@gmail.com>; Kurt Roeckx <k...@roeckx.be>; Richard Barnes <rbar...@mozilla.com>; Jeremy Rowley <jeremy.row...@digicert.com>; Steve <steve.me...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson <kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks Peter, I think I get what you're saying about this being a different category of cross-sign, but could you spell out explicitly how this differs from e.g. the Identrust cross-sign issue that Richard linked to? -- Eric On Thu, Jun 23, 2016 at 4:39 PM, Ben Wilson <ben.wil...@digicert.com <mailto:ben.wil...@digicert.com> > wrote: That's correct. -----Original Message----- From: Peter Bowen [mailto:pzbo...@gmail.com <mailto:pzbo...@gmail.com> ] Sent: Thursday, June 23, 2016 2:39 PM To: Ben Wilson <ben.wil...@digicert.com <mailto:ben.wil...@digicert.com> > Cc: Eric Mill <e...@konklone.com <mailto:e...@konklone.com> >; Kurt Roeckx <k...@roeckx.be <mailto:k...@roeckx.be> >; Richard Barnes <rbar...@mozilla.com <mailto:rbar...@mozilla.com> >; Jeremy Rowley <jeremy.row...@digicert.com <mailto:jeremy.row...@digicert.com> >; Steve <steve.me...@gmail.com <mailto:steve.me...@gmail.com> >; mozilla-dev-security-pol...@lists.mozilla.org <mailto:mozilla-dev-security-pol...@lists.mozilla.org> ; Kathleen Wilson <kwil...@mozilla.com <mailto:kwil...@mozilla.com> >; Rob Stradling <rob.stradl...@comodo.com <mailto:rob.stradl...@comodo.com> > Subject: Re: Intermediate certificate disclosure deadline in 2 weeks On Thu, Jun 23, 2016 at 11:45 AM, Ben Wilson <ben.wil...@digicert.com <mailto:ben.wil...@digicert.com> > wrote: > Another issue that needs to be resolved involves the Federal Bridge > CA 2013 (“Federal Bridge”). When a publicly trusted sub CA > cross-certifies the Federal Bridge, then all of the CAs cross-certified by > the Federal Bridge > are trusted. The chart (https://crt.sh/mozilla-disclosures) then captures > all “non-publicly-trusted” sub CAs. For instance, the following CAs > are now caught up in the database, but there is no way to input them > (or CAs subordinate to them) into Salesforce because only the CA that > cross-certified the Federal Bridge has access to that certificate > chain in Salesforce. In otherwords, I don’t have access to input the > DigiCert Federated ID CA-1 or its sub CAs. Ben, Correct me if I'm wrong, but the DigiCert CA you mention is part of a different PKI from the DigiCert public roots in Mozilla, right? The only reason that it is showing in the list is because a non-DigiCert CA cross-signed the Federal PKI and the Federal PKI cross-signed the DigiCert CA in question, correct? Thanks, Peter -- konklone.com <https://konklone.com> | @konklone <https://twitter.com/konklone>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
