On 27/03/2017 23:12, Andrew Ayer wrote:
[ Corresponding issue on GitHub: https://github.com/mozilla/pkipolicy/issues/67
]
Mozilla's CA Certificate Policy says:
All certificates that are capable of being used to issue new
certificates, that are not technically constrained, and that directly
or transitively chain to a certificate included in Mozilla's CA
Certificate Program MUST be audited in accordance with Mozilla's CA
Certificate Policy and MUST be publicly disclosed in the CCADB by the
CA that has their certificate included in Mozilla's CA Certificate
Program.
One cannot disclose a sub-CA certificate without first signing it, so
there will always be some delay between the creation of a sub-CA and
its disclosure in the CCADB. How long can a CA delay the disclosure?
All the policy currently says is this:
The CA with a certificate included in Mozilla's CA Certificate
Program MUST disclose this information before any such subordinate CA
is allowed to issue certificates.
My interpretation of the policy is that a CA could delay disclosure for
quite some time if the sub-CA is not used to issue certificates right
away. If the sub-CA is created as a backup that is never used, the
disclosure would never need to happen.
I think this is bad. An upper limit on the delay should be precisely
specified by the policy. My opinion is that it should be on the order
of days, although the policy might need to afford some leeway to CAs
that are new to the Mozilla program and do not have access yet to CCADB.
If retaining the ban on using the SubCA before disclosure, the max
delay for still-unused SubCAs could safely be longer, say a few months.
It should also be made a requirement that the issued SubCA certificate
is provided to the CCADB and other root programs before providing it to
the SubCA owner/operator, and that providing the SubCA certificate to
multiple root programs should be done within a single 72 hour period
(because a bad SubCA operator could grab the cert from CCADB etc.
before receiving it from the CA).
In practice this would mean the issuing CA getting their upload-to-root-
programs procedures ready and checking for scheduled root-program
holidays before hitting GO on the upload process. For example I
suspect that some root programs not using the CCADB automated system
would not be able to process new SubCA submissions during the upcoming
Christian Easter holiday (which is also frequently used for scheduled
server downtime).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
