On 24/06/16 14:38, Rob Stradling wrote:
I've just updated https://crt.sh/mozilla-disclosures.
There's now a separate grouping for undisclosed intermediates for which
all observed paths to a trusted root have been "revoked".
A path is considered to be "revoked" if at least one intermediate in the
path has been 1) disclosed to Salesforce AND 2) marked as Revoked in
Salesforce and/or OneCRL.
I'm working on the problem of how to uncover which trust paths exist but
have not (yet) been revoked...
crt.sh now shows more info. Go to https://crt.sh/mozilla-disclosures,
then click on a cert's SHA-1 thumbprint, then click the "Subject" link
to go to the relevant "?caid=" page.
(Alternatively, append "&opt=mozilladisclosure" to any "?caid=" URL).
The list of "Certificates" issued to the CA will have a "Mozilla Trust
(id-kp-serverAuth)" column.
On 23/06/16 22:42, Ben Wilson wrote:
Peter is right, but the problem is similar to what's in the Identrust
thread mentioned by Richard. "Cross-certifying a subordinated CA has
been standard practice by not only IdenTrust, but other large CAs such
as Symantec for more than a decade ..."
Trouble is, I can't tell by looking at
https://crt.sh/mozilla-disclosures who it was that cross-certified the
Federal Bridge. If I could, then I could reach out to them and have
them update the CA hierarchy in Salesforce.
I am taking Richard's comment ,"I would be willing to make an
exception for this specific case, since the Federal Bridge is a known
issue," as an indication that I do not need to disclose the DigiCert
Federated ID CA-1 in the Salesforce database.
-----Original Message-----
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Thursday, June 23, 2016 3:35 PM
To: Eric Mill <e...@konklone.com>
Cc: Ben Wilson <ben.wil...@digicert.com>; Kurt Roeckx
<k...@roeckx.be>; Richard Barnes <rbar...@mozilla.com>; Jeremy Rowley
<jeremy.row...@digicert.com>; Steve <steve.me...@gmail.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson
<kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com>
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
DigiCert didn't cross-sign the Federal PKI with their Mozilla trusted
CAs.
I'm sure Ben will tell me I have my terminology wrong, but DigiCert
basically operates two PKIs:
- DigiCert Public WebPKI
- DigiCert Shared FederatedPKI
The first is a set of CAs that are in the Mozilla program and CAs
signed by the Mozilla program. The second is a set of CAs that are
signed by the US Federal PKI; they are not in the Mozilla program.
The problem is that some non-DigiCert CA int he Mozilla program signed
the US Federal PKI. The DigiCert Shared FederatedPKI is now brought
in via that signature, with which they had nothing to do.
On Thu, Jun 23, 2016 at 1:41 PM, Eric Mill <e...@konklone.com> wrote:
Peter, I think I get what you're saying about this being a different
category of cross-sign, but could you spell out explicitly how this
differs from e.g. the Identrust cross-sign issue that Richard linked to?
-- Eric
On Thu, Jun 23, 2016 at 4:39 PM, Ben Wilson <ben.wil...@digicert.com>
wrote:
That's correct.
-----Original Message-----
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Thursday, June 23, 2016 2:39 PM
To: Ben Wilson <ben.wil...@digicert.com>
Cc: Eric Mill <e...@konklone.com>; Kurt Roeckx <k...@roeckx.be>;
Richard Barnes <rbar...@mozilla.com>; Jeremy Rowley
<jeremy.row...@digicert.com>; Steve <steve.me...@gmail.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson
<kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com>
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On Thu, Jun 23, 2016 at 11:45 AM, Ben Wilson
<ben.wil...@digicert.com>
wrote:
Another issue that needs to be resolved involves the Federal
Bridge CA 2013 (“Federal Bridge”). When a publicly trusted sub CA
cross-certifies the Federal Bridge, then all of the CAs
cross-certified by the Federal Bridge
are trusted. The chart (https://crt.sh/mozilla-disclosures) then
captures
all “non-publicly-trusted” sub CAs. For instance, the following
CAs are now caught up in the database, but there is no way to
input them (or CAs subordinate to them) into Salesforce because
only the CA that cross-certified the Federal Bridge has access to
that certificate chain in Salesforce. In otherwords, I don’t have
access to input the DigiCert Federated ID CA-1 or its sub CAs.
Ben,
Correct me if I'm wrong, but the DigiCert CA you mention is part of a
different PKI from the DigiCert public roots in Mozilla, right? The
only reason that it is showing in the list is because a non-DigiCert
CA cross-signed the Federal PKI and the Federal PKI cross-signed the
DigiCert CA in question, correct?
Thanks,
Peter
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
