IdenTrust operates an issuing CA for the US Federal Government - General Services Administration - Access Certificates for Electronic Services Program (ACES). It is a government sponsored PKI program separate from the Non-Federal issuer programs under the Federal Bridge.
ACES certificates are can be used for identity (people signature and authentication) or devices (server authentication). The individual ACES vendors write their own CPS and the IdenTrust CPS meets CAB Forum BR and through a WebTrust for SSL audit (https://cert.webtrust.org/SealFile?seal=2106&file=pdf). IdenTrust operates their ACES issuing CA with a path to both the Federal Common Policy CA and an IdenTrust public root. Since the issuing CA is certified with the Federal PKI and not the root, there is no path to the IdenTrust public root from the rest of the Federal PKI. I think this and DigiCert are the only two examples of a PKI hierarchy with the Federal PKI that do not allow Federal PKI certificates to validate to the public root of the company. This testing was outlined in the FPKI SSL testing on github. https://github.com/18F/fpki-testing >From a user experience perspective, companies (and government agencies) should >use SSL certificates that fit their requirements. Trying to explain how to use >PKI is hard enough so having a statement that says "Don't use this PKI except >where and when in this configuration" just adds to the confusion. I'd say that >statement fit the needs of the overall federal government effort in ensuring >federal websites used SSL certificates which offered a consistent user >experience. @Peter - But the policy mapping between these different use cases is perhaps overly complex and certainly not user friendly. " - Do you mean the policy mapping used by ACES and the Federal PKI? This specific IdenTrust CA does not have a cross-certificate back to the Federal PKI. It has two distinct validation paths to two different roots; Federal Common Policy and the IdenTrust Public Root. Only IdenTrust issued ACES Federal PKI certificates can validate with Mozilla. NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy