So my understanding of this is that Symantec knowns that the other CAs have not been audited as required under the Mozilla policy, that they shouldn't have signed those certs, but refuse to revoke it because they're being paid for it. This is in my opinion just not acceptable.
Either Symantec's CP/CPS is not compatible with the Mozilla Policy in which case the Symantec root should be removed, or they're not following it in which case they should revoke that certificate. Kurt On Tue, Jun 28, 2016 at 09:48:10PM +0000, Myers, Kenneth (10421) wrote: > Thanks Rob. I came to the same conclusion. > > I am a contractor supporting the Federal PKI and do not speak on their > behalf, but would like to help clear up some misconceptions around the > Federal PKI. > > 1) The Symantec Cross Cert has not been revoked. > The Federal PKI is an identity federation based on mutual trust of people. > Multiple federal and non-federal organizations coming together based on > common identity assurances for the benefit of G2G, C2G, and B2G digital > transactions. Every affiliate within the Federal PKI adheres to the Federal > Bridge CP which is based off NIST and international standards and other > federal laws around identity management and information security to establish > trusted operations and the criteria for a level of assurance. Multiple > federal mandates and laws exist for the use of the Federal Bridge to accept > commercial PKI credentials for electronic authentication and digital > signature (mentioned below). Participating PKIs enter into a legal agreement > (MOA) with the federal government to establish that trust and define the > requirements around mutual recognition (Application for cross certification, > https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t0000000TNS6AAO&field=File__Body__s). T > his is evidenced through the exchange of certificates between organizational > PKIs (In this case between the Federal Bridge and the Symantec CA) after a > passing audit report. The FPKI audit requirements are based on a direct CP to > CPS analysis with annual core requirements which provides improved assurance > that affiliates continue to operate according to the Federal Bridge CP > (https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t0000000TNYYAA4&field=File__Body__s). > Without the exchange, there is no mutual trust. Symantec is a valued partner > within the Federal PKI supporting nine non-federal organizations with 33 > operational CAs under the Federal PKI non-federal issuer program. To revoke > the Symantec certificate, the certificates issued by organizations under > Symantec would no longer be trusted by federal relying parties. Symantec is > resolving the issue with the Federal PKI Policy Authority, but the risk to > revoking the certificate is still uncertain. > > 2) It is not acceptable for CAs trusted by the Mozilla Program to cross-sign > with the Federal Bridge (From Richard Barnes) There is a fundamental and > growing philosophical difference between the Federal PKI (based on strong > assurance of people identities for general use) and the PKI industry > (assurance of device identities for specific uses). The Federal PKI continues > to work to update our requirements to meet Mozilla program acceptance, but it > is a difficult path. The Federal PKI is a heavily regulated environment > governed by its members, federal regulations, and operated according to NIST > and international standards. The Federal PKI is composed of: > - 19 affiliates > - 254 CAs > - 71 issuing partners > - 93 federal agencies > - >five million users > - >22 million active certificates issued to both people and devices > > This does not include the federal relying party and commercial applications > which accept FPKI certificates for authentication or other purposes. It is > important to the Federal PKI that theses certificates are trusted to meet > multiple federal drivers around electronic authentication/digital signature > (Digital Signature and Electronic Authentication Act, Electronic Signatures > in Global and National Commerce Act, and Government Paperwork Elimination > Act) as well as PKI interoperability (E-Government Act) and strong > authentication (Homeland Security Presidential Directive-12, White House > Cybersecurity Strategy and Implementation Plan, and White House Cybersecurity > National Action Plan) requirements. In some cases it is not a simple process > to update the Federal PKI Certificate Policies, but we are very close to > meeting the last two Mozilla requirements for our application which include > incorporating CAB Forum BR and Mozilla CP requirements and publicly posting > CP, CPS, and audi t > letters for the Shared Service Providers. Even small changes have a lasting > impact to both federal budget and operational practices and must be > understand. > > If you're interested in a closer look, I've attached a white paper of the > FPKI Infrastructure and Architecture > (https://www.idmanagement.gov/IDM/s/document_detail?Id=kA0t0000000KyroCAC). > > Ken > > -----Original Message----- > From: Rob Stradling [mailto:rob.stradl...@comodo.com] > Sent: Monday, June 27, 2016 09:01 > To: Myers, Kenneth (10421) <kenneth.my...@protiviti.com>; > dev-security-policy@lists.mozilla.org > Subject: Re: Intermediate certificate disclosure deadline in 2 weeks > > On 27/06/16 12:13, Myers, Kenneth (10421) wrote: > > The Federal PKI has a tool to help identify trust paths, > > FPKI-graph.fpki-lab.gov<https://urldefense.proofpoint.com/v2/url?u=http-3A__fpki-2Dgraph.fpki-2Dlab.gov&d=CwIC-g&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=DlNVTZg70U3he7Kt-304vEDqF9fDGX8jfPq5RnStn50&s=pqUpzJZnt7pQ1HsJr6dBrqifrxrdjl-iFkah0G685TY&e= > > >. > > > > I can do a true-up between the Mozilla CA list and FPKI trust paths to help > > identify which path may be causing the issue. > > Hi Kenneth. It would be great if you could do that, especially if there are > any trust paths that are not yet known to CT / crt.sh. > > I've just run some analysis on the crt.sh DB. It's the following 2 > cross-certificates that are of interest: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__crt.sh_-3Fid-3D9114292&d=CwIC-g&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=DlNVTZg70U3he7Kt-304vEDqF9fDGX8jfPq5RnStn50&s=diEBbsWTZ7Zo0d_TwT8WGR-3EwDoH469HqxCqlif53k&e= > > Issuer: IdenTrust ACES CA 1 > Subject: Federal Bridge CA 2013 > OneCRL: Already revoked. > Salesforce: Not yet disclosed. > > https://urldefense.proofpoint.com/v2/url?u=https-3A__crt.sh_-3Fid-3D12638543&d=CwIC-g&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=DlNVTZg70U3he7Kt-304vEDqF9fDGX8jfPq5RnStn50&s=JB_38bUAYT_Hl4B58oExVy_P8sXMISQGtZhyoyoSx2U&e= > > Issuer: VeriSign Class 3 SSP Intermediate CA - G2 > Subject: Federal Bridge CA 2013 > OneCRL: Not yet revoked. > Salesforce: Not yet disclosed. > > If/when both of these intermediates are disclosed to Salesforce as "revoked", > crt.sh should (once Mozilla have updated the CSV reports) detect the FPKI > trust paths as "revoked". > > Richard Barnes wrote on 23rd: > "It should be clear by this point that it is not acceptable for CAs trusted > by the Mozilla program to cross-sign the Federal Bridge" > > That Symantec cross-cert has not yet even been revoked via CRL! > > > Kenneth Myers > > Supporting the GSA Federal PKI Management Authority Protiviti | > > Government Solutions | Manager Alexandria | +1 > > 571-366-6120<tel:+1%20571-366-6120> | > > kenneth.my...@protiviti.com<mailto:kenneth.my...@protiviti.com> > > Connect: > > LinkedIn<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.link > > edin.com_in_kennethmy&d=CwIC-g&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAt > > E256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=DlNVTZg70U3he7K > > t-304vEDqF9fDGX8jfPq5RnStn50&s=yxnEOhIxqEJxYCndopgWxHD8FxhHFsjtBlvztmv > > whhM&e= > | Thought Leadership: > > Protiviti.com<http://www.protiviti.it/en-US/Pages/Insights.aspx> > > > > On Jun 24, 2016, at 08:01, > > "dev-security-policy-requ...@lists.mozilla.org<mailto:dev-security-policy-requ...@lists.mozilla.org>" > > > > <dev-security-policy-requ...@lists.mozilla.org<mailto:dev-security-policy-requ...@lists.mozilla.org>> > > wrote: > > > > -----Original Message----- > > From: Peter Bowen [mailto:pzbo...@gmail.com] > > Sent: Thursday, June 23, 2016 3:35 PM > > To: Eric Mill <e...@konklone.com<mailto:e...@konklone.com>> > > Cc: Ben Wilson > > <ben.wil...@digicert.com<mailto:ben.wil...@digicert.com>>; Kurt Roeckx > > <k...@roeckx.be<mailto:k...@roeckx.be>>; Richard Barnes > > <rbar...@mozilla.com<mailto:rbar...@mozilla.com>>; Jeremy Rowley > > <jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>>; Steve > > <steve.me...@gmail.com<mailto:steve.me...@gmail.com>>; > > mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-secur > > ity-pol...@lists.mozilla.org>; Kathleen Wilson > > <kwil...@mozilla.com<mailto:kwil...@mozilla.com>>; Rob Stradling > > <rob.stradl...@comodo.com<mailto:rob.stradl...@comodo.com>> > > Subject: Re: Intermediate certificate disclosure deadline in 2 weeks > > > > DigiCert didn't cross-sign the Federal PKI with their Mozilla trusted CAs. > > > > I'm sure Ben will tell me I have my terminology wrong, but DigiCert > > basically operates two PKIs: > > - DigiCert Public WebPKI > > - DigiCert Shared FederatedPKI > > > > The first is a set of CAs that are in the Mozilla program and CAs signed by > > the Mozilla program. The second is a set of CAs that are signed by the US > > Federal PKI; they are not in the Mozilla program. > > > > The problem is that some non-DigiCert CA int he Mozilla program signed the > > US Federal PKI. The DigiCert Shared FederatedPKI is now brought in via > > that signature, with which they had nothing to do. > > > > On Thu, Jun 23, 2016 at 1:41 PM, Eric Mill > > <e...@konklone.com<mailto:e...@konklone.com>> wrote: > > Peter, I think I get what you're saying about this being a different > > category of cross-sign, but could you spell out explicitly how this > > differs from e.g. the Identrust cross-sign issue that Richard linked to? > > > > -- Eric > > > > On Thu, Jun 23, 2016 at 4:39 PM, Ben Wilson > > <ben.wil...@digicert.com<mailto:ben.wil...@digicert.com>> wrote: > > > > That's correct. > > > > -----Original Message----- > > From: Peter Bowen [mailto:pzbo...@gmail.com] > > Sent: Thursday, June 23, 2016 2:39 PM > > To: Ben Wilson > > <ben.wil...@digicert.com<mailto:ben.wil...@digicert.com>> > > Cc: Eric Mill <e...@konklone.com<mailto:e...@konklone.com>>; Kurt > > Roeckx <k...@roeckx.be<mailto:k...@roeckx.be>>; > > Richard Barnes <rbar...@mozilla.com<mailto:rbar...@mozilla.com>>; > > Jeremy Rowley > > <jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>>; Steve > > <steve.me...@gmail.com<mailto:steve.me...@gmail.com>>; > > mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-secur > > ity-pol...@lists.mozilla.org>; Kathleen Wilson > > <kwil...@mozilla.com<mailto:kwil...@mozilla.com>>; Rob Stradling > > <rob.stradl...@comodo.com<mailto:rob.stradl...@comodo.com>> > > Subject: Re: Intermediate certificate disclosure deadline in 2 weeks > > > > On Thu, Jun 23, 2016 at 11:45 AM, Ben Wilson > > <ben.wil...@digicert.com<mailto:ben.wil...@digicert.com>> > > wrote: > > Another issue that needs to be resolved involves the Federal Bridge > > CA 2013 (?Federal Bridge?). When a publicly trusted sub CA > > cross-certifies the Federal Bridge, then all of the CAs > > cross-certified by the Federal Bridge > > are trusted. The chart > > (https://urldefense.proofpoint.com/v2/url?u=https-3A__crt.sh_mozilla-2Ddisclosures&d=CwICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=1UjPfxX9IFMWqfbTaQcpveBJs1JYI4p_EuZaqww5tuQ&s=uEywlyUMGlYbep6vFNZz0xasu6IojurxbFc_8QrcDW0&e= > > ) then > > captures > > all ?non-publicly-trusted? sub CAs. For instance, the following CAs > > are now caught up in the database, but there is no way to input them > > (or CAs subordinate to them) into Salesforce because only the CA that > > cross-certified the Federal Bridge has access to that certificate > > chain in Salesforce. In otherwords, I don?t have access to input the > > DigiCert Federated ID CA-1 or its sub CAs. > > > > > > Ben, > > > > Correct me if I'm wrong, but the DigiCert CA you mention is part of a > > different PKI from the DigiCert public roots in Mozilla, right? The > > only reason that it is showing in the list is because a non-DigiCert > > CA cross-signed the Federal PKI and the Federal PKI cross-signed the > > DigiCert CA in question, correct? > > > > Thanks, > > Peter > > > > > > > > > > > > -- > > konklone.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__konkl > > one.com&d=CwIC-g&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfM > > BgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=DlNVTZg70U3he7Kt-304vEDqF9fDG > > X8jfPq5RnStn50&s=c1rqzKNHVjlgTVwNLW7gmcTVRl_FBL23W8HwCSj5YQ4&e= > | > > @konklone > > NOTICE: Protiviti is a global consulting and internal audit firm composed > > of experts specializing in risk and advisory services. Protiviti is not > > licensed or registered as a public accounting firm and does not issue > > opinions on financial statements or offer attestation services. This > > electronic mail message is intended exclusively for the individual or > > entity to which it is addressed. This message, together with any > > attachment, may contain confidential and privileged information. Any views, > > opinions or conclusions expressed in this message are those of the > > individual sender and do not necessarily reflect the views of Protiviti > > Inc. or its affiliates. Any unauthorized review, use, printing, copying, > > retention, disclosure or distribution is strictly prohibited. If you have > > received this message in error, please immediately advise the sender by > > reply email message to the sender and delete all copies of this message. > > Thank you. > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.mozilla.org > > _listinfo_dev-2Dsecurity-2Dpolicy&d=CwIC-g&c=19TEyCb-E0do3cLmFgm9ItTXl > > bGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=DlN > > VTZg70U3he7Kt-304vEDqF9fDGX8jfPq5RnStn50&s=Us3UaVYVbznpkZ1j73y7EA6kkrF > > wQVLbqsrIXxgTQFs&e= > > > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > Office Tel: +44.(0)1274.730505 > Office Fax: +44.(0)1274.730909 > www.comodo.com > > COMODO CA Limited, Registered in England No. 04058690 Registered Office: > 3rd Floor, 26 Office Village, Exchange Quay, > Trafford Road, Salford, Manchester M5 3EQ > > This e-mail and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the sender by replying > to the e-mail containing this attachment. Replies to this email may be > monitored by COMODO for operational or business reasons. Whilst every > endeavour is taken to ensure that e-mails are free from viruses, no liability > can be accepted and the recipient is requested to use their own virus > checking software. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
