On Mon, Apr 3, 2017 at 12:36 PM, Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On 03/04/2017 19:24, Ryan Sleevi wrote: >> >> On Mon, Apr 3, 2017 at 12:58 PM, Jakob Bohm via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >>> >>> >>> taking a holiday and not being able to process a disclosure of a new >>> SubCA. >>> >> >> Considering that the CCADB does not require any of these parties to >> process >> a disclosure, can you again explain why the proposed wording would not be >> sufficient? >> >> I think you may be operating on incomplete/incorrect assumptions about >> disclosure, and it would be useful to understand what you believe happens, >> since that appears to have factored in to your suggestion. Given that the >> proposal allows the CA to fully self-report (if they have access) or to >> defer until they do have access, that does seem entirely appropriate and >> relevant to allow for one week. >> > > The assumptions are: > > 0. All relevant root programs set similar/identical policies or they > get incorporatated into the CAB/F BRs on a future date.
This discussion is only about Mozilla's program. > 1. When the SubCA must be disclosed to all root programs upon the > *earlier* of issuance + grace period OR outside facility SubCA > receiving the certificate (no grace period). Disclosure means uploading the CCADB with other data (e.g. which CPS applies). > 2. The SubCA must not issue any certificate (other than not-yet-used > SubCAs, OCSP certs and other such CA operation certs generated in the > same ceremony) until Disclosure to all root programs has been > completed. This is a good callout. It isn't clear how to handle issuance of certificates prior to disclosure. > 3. Disclosing to an operational and not-on-holiday root program team > (such as the the CCADB most of the time) indirectly makes the SubCA > certificate available to the SubCA operator, *technically* (not > legally) allowing that SubCA to (improperly) start issuing before > rule #2 is satisfied. I don't follow here. The requirement is simply that the certificate be uploaded prior to the CA issuing any certificates. It doesn't matter if the program team does anything with it. It also has no impact on whether the subordinate CA issues or does not issue -- the subordinate CA controls the private key that can be used to create signatures, not the root program team. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
