On Thu, Jun 8, 2017 at 7:02 PM, Matthew Hardeman via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On Thursday, June 8, 2017 at 7:44:08 PM UTC-5, Ben Wilson wrote: >> I don't believe that disclosure of root certificates is the responsibility >> of a CA that has cross-certified a key. For instance, the CCADB interface >> talks in terms of "Intermediate CAs". Root CAs are the responsibility of >> browsers to upload. I don't even have access to upload a "root" >> certificate. > > At least in terms of intention of disclosing the intermediates, I don't think > you've made a fair assessment of the situation. > > The responsibility to disclose must fall upon the signer. Not the one who > was signed. > > Cross-signature certificates are, effectively, intermediates granting an > alternate / enhanced validation path to trust to a distinct, separate > hierarchy. > > While IdenTrust signs Let's Encrypt's intermediates rather than a cross-sign > of their root, the principle is ultimately the same. The browser programs > clearly wish to have those who are positioned to grant trust accountable for > any such trust that they grant. > > It's one question if the other root is already in the trust store, but > imagine it's some large enterprise root that's been running, perhaps under > appropriate audits but maybe not, cross-signed by a widely trusted program > participant. > > Perhaps the text needs clarifying, but I find it hard to believe that any of > the browser programs is of the opinion that you can cross-sign someone else's > root cert and not disclose that.
I don't think that is the question at hand. I think Ben means "self-signed" or "self-issued" when he says "root" certificate. I agree with Ben that self-signed certificates should be out of scope. Self-issued certificates that are not self-signed probably should be in scope. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy