Thanks Eric.
1) Mutual trust is dependent on an exchange of certificates as outlined in the MOA and not the receipt. If one is removed, both must be removed per the MOA. It is currently being discussed to allow only a certificate receipt because mutual trust is a fundamental principle of the Federal Bridge. Revoking the certificate breaches the agreement. The IdenTrust CA is operated under a different program which coincidentally removed the certificate exchange requirement around the same time it was brought up in the forum and in the FPKI SSL testing. 2) The federal bridge is an identity hub and not an anchor. Trust is established through the cert chain to Federal Common Policy and not through a trust bundle or a trust store. Its purpose is to connect organizational PKIs so an affiliate or federal agency can continue to use their root CA as a trust anchor without the need to install other roots. By entering into an agreement with the Federal Bridge, all affiliates (Symantec included) recognize they trust certificates issued by other affiliates of the Federal Bridge based on the policy mapping in certificate exchange. All certificates are issued against the same criteria as outlined in the Federal Bridge CP and mapped to affiliate CPs. Ken NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
