On 09/06/2017 11:57, Rob Stradling wrote:
On 09/06/17 03:16, Peter Bowen via dev-security-policy wrote:
On Thu, Jun 8, 2017 at 7:09 PM, Jonathan Rudenberg via
dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
On Jun 8, 2017, at 20:43, Ben Wilson via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
I don't believe that disclosure of root certificates is the
responsibility
of a CA that has cross-certified a key. For instance, the CCADB
interface
talks in terms of "Intermediate CAs". Root CAs are the
responsibility of
browsers to upload. I don't even have access to upload a "root"
certificate.
I think the Mozilla Root Store policy is pretty clear on this point:
All certificates that are capable of being used to issue new
certificates, and which directly or transitively chain to a
certificate included in Mozilla’s CA Certificate Program, MUST be
operated in accordance with this policy and MUST either be
technically constrained or be publicly disclosed and audited.
The self-signed certificates in the present set are all in scope for
the disclosure policy because they are capable of being used to issue
new certificates and chain to a certificate included in Mozilla’s CA
Certificate Program. From the perspective of the Mozilla root store
they look like intermediates because they can be used as
intermediates in a valid path to a root certificate trusted by Mozilla.
There are two important things about self-issued certificates:
1) They cannot expand the scope of what is allowed.
Cross-certificates can create alternative paths with different
restrictions. Self-issued certificates do not provide alternative
paths that may have fewer constraints.
2) There is no way for a "parent" CA to prevent them from existing.
Even if the only cross-sign has a path length constraint of zero, the
"child" CA can issue self-issued certificates all day long. If they
are self-signed there is no real value in disclosing them, given #1.
I think that it is reasonable to say that self-signed certificates are
out of scope.
There's a signature chain, so they're clearly in scope (as far as the
current policy is concerned).
The policy would need to be updated before we could say that they "*are*
out of scope".
(FWIW, I agree that it's pointless for them to be in scope. However,
the policy trumps my opinion).
What in the policy says they become in-scope from a certificate chain
that isn't "anchored" at a Mozilla trusted root?
And would someone please post those alleged certificate chains
*explicitly* here, not just say they saw it "somehow".
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy