I am surprised you decided to fork the thread from here https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/sNDN6q26_uM where this was already being discussed. Seems unnecessary.
I don't agree this is a policy violation, and I doubt any CA not involved in the previously mentioned thread would even register that Mozilla may be requiring disclosure of self-signed CAs. The only disclosure requirement this root may fall under is the weird "transitive" trust phrase in the policy. Note, this phrase is not defined in 5280 or the Mozilla policy. Can you please link me to the definition in an RFC? If there isn't one, until Mozilla clarifies what this means, the definition of transitive trust is vague, meaning any third interpretation is as good as the one you propose. Regardless, we will log the cert in the database pending resolution of the dispute on what this means in the Mozilla policy to avoid the debate over this particular root. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Rob Stradling via dev-security-policy Sent: Monday, July 3, 2017 5:32 AM To: mozilla-dev-security-pol...@lists.mozilla.org <dev-security-policy@lists.mozilla.org> Subject: DigiCert policy violation - non-disclosure of https://crt.sh/?id=160110886 https://crt.sh/mozilla-disclosures#undisclosed has listed https://crt.sh/?id=160110886 for over 1 week. This is a violation of section 5.3.2 of the Mozilla Root Store Policy v2.5 [1], which says (emphasis mine): "All certificates that are capable of being used to issue new certificates, that are not technically constrained, and that directly or transitively chain to a certificate included in Mozilla’s root program MUST be audited in accordance with Mozilla’s Root Store Policy and MUST be publicly disclosed in the CCADB by the CA that has their certificate included in Mozilla’s root program. The CA with a certificate included in Mozilla’s root program MUST disclose this information *within a week* of certificate creation, and before any such subordinate CA is allowed to issue certificates." It's a self-signed root certificate, but nonetheless there exists a signature chain up to an included root and so disclosure is required. [1] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy