The Federal PKI has a tool to help identify trust paths, FPKI-graph.fpki-lab.gov<http://fpki-graph.fpki-lab.gov>.
I can do a true-up between the Mozilla CA list and FPKI trust paths to help identify which path may be causing the issue. Kenneth Myers Supporting the GSA Federal PKI Management Authority Protiviti | Government Solutions | Manager Alexandria | +1 571-366-6120<tel:+1%20571-366-6120> | kenneth.my...@protiviti.com<mailto:kenneth.my...@protiviti.com> Connect: LinkedIn<https://www.linkedin.com/in/kennethmy> | Thought Leadership: Protiviti.com<http://www.protiviti.it/en-US/Pages/Insights.aspx> On Jun 24, 2016, at 08:01, "dev-security-policy-requ...@lists.mozilla.org<mailto:dev-security-policy-requ...@lists.mozilla.org>" <dev-security-policy-requ...@lists.mozilla.org<mailto:dev-security-policy-requ...@lists.mozilla.org>> wrote: -----Original Message----- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Thursday, June 23, 2016 3:35 PM To: Eric Mill <e...@konklone.com<mailto:e...@konklone.com>> Cc: Ben Wilson <ben.wil...@digicert.com<mailto:ben.wil...@digicert.com>>; Kurt Roeckx <k...@roeckx.be<mailto:k...@roeckx.be>>; Richard Barnes <rbar...@mozilla.com<mailto:rbar...@mozilla.com>>; Jeremy Rowley <jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>>; Steve <steve.me...@gmail.com<mailto:steve.me...@gmail.com>>; mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org>; Kathleen Wilson <kwil...@mozilla.com<mailto:kwil...@mozilla.com>>; Rob Stradling <rob.stradl...@comodo.com<mailto:rob.stradl...@comodo.com>> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks DigiCert didn't cross-sign the Federal PKI with their Mozilla trusted CAs. I'm sure Ben will tell me I have my terminology wrong, but DigiCert basically operates two PKIs: - DigiCert Public WebPKI - DigiCert Shared FederatedPKI The first is a set of CAs that are in the Mozilla program and CAs signed by the Mozilla program. The second is a set of CAs that are signed by the US Federal PKI; they are not in the Mozilla program. The problem is that some non-DigiCert CA int he Mozilla program signed the US Federal PKI. The DigiCert Shared FederatedPKI is now brought in via that signature, with which they had nothing to do. On Thu, Jun 23, 2016 at 1:41 PM, Eric Mill <e...@konklone.com<mailto:e...@konklone.com>> wrote: Peter, I think I get what you're saying about this being a different category of cross-sign, but could you spell out explicitly how this differs from e.g. the Identrust cross-sign issue that Richard linked to? -- Eric On Thu, Jun 23, 2016 at 4:39 PM, Ben Wilson <ben.wil...@digicert.com<mailto:ben.wil...@digicert.com>> wrote: That's correct. -----Original Message----- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Thursday, June 23, 2016 2:39 PM To: Ben Wilson <ben.wil...@digicert.com<mailto:ben.wil...@digicert.com>> Cc: Eric Mill <e...@konklone.com<mailto:e...@konklone.com>>; Kurt Roeckx <k...@roeckx.be<mailto:k...@roeckx.be>>; Richard Barnes <rbar...@mozilla.com<mailto:rbar...@mozilla.com>>; Jeremy Rowley <jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>>; Steve <steve.me...@gmail.com<mailto:steve.me...@gmail.com>>; mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org>; Kathleen Wilson <kwil...@mozilla.com<mailto:kwil...@mozilla.com>>; Rob Stradling <rob.stradl...@comodo.com<mailto:rob.stradl...@comodo.com>> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks On Thu, Jun 23, 2016 at 11:45 AM, Ben Wilson <ben.wil...@digicert.com<mailto:ben.wil...@digicert.com>> wrote: Another issue that needs to be resolved involves the Federal Bridge CA 2013 (?Federal Bridge?). When a publicly trusted sub CA cross-certifies the Federal Bridge, then all of the CAs cross-certified by the Federal Bridge are trusted. The chart (https://urldefense.proofpoint.com/v2/url?u=https-3A__crt.sh_mozilla-2Ddisclosures&d=CwICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=1UjPfxX9IFMWqfbTaQcpveBJs1JYI4p_EuZaqww5tuQ&s=uEywlyUMGlYbep6vFNZz0xasu6IojurxbFc_8QrcDW0&e= ) then captures all ?non-publicly-trusted? sub CAs. For instance, the following CAs are now caught up in the database, but there is no way to input them (or CAs subordinate to them) into Salesforce because only the CA that cross-certified the Federal Bridge has access to that certificate chain in Salesforce. In otherwords, I don?t have access to input the DigiCert Federated ID CA-1 or its sub CAs. Ben, Correct me if I'm wrong, but the DigiCert CA you mention is part of a different PKI from the DigiCert public roots in Mozilla, right? The only reason that it is showing in the list is because a non-DigiCert CA cross-signed the Federal PKI and the Federal PKI cross-signed the DigiCert CA in question, correct? Thanks, Peter -- konklone.com<http://konklone.com> | @konklone NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
