Thanks Nick. I'm missing something on this, so I appreciate the help so far. I replied to each section.
Perhaps you have confused transitivity with commutativity or one of the other simple properties. Transitivity is the property whereby if F(A,B) and F(B,C) then F(A,C), for example the "greater than" binary relation is transitive. [JR] No confusion on what the arithmetic property, but I am having trouble seeing how the transitive trust applies to a self-signed and self-issued root with a publicly trusted root. Can you explain this more? The previously undisclosed certificate chains to a certificate which chains to another certificate and so on until you reach one that is included in the programme. The Mozilla policy isn't trying to do anything very fancy here, it's just spelling out how chains actually work, which is why it was a concern that you seem so surprised this policy applies. [JR] Well yeah - but this one is self-signed and self-issued, so how does it chain? It seems _especially_ strange to object for this certificate that you had never imagined it was necessary to disclose it, while perhaps half a dozen similar certificates in the same family were previously disclosed. I would suggest that rather than demonstrating DigiCert had no idea it was supposed to disclose them, it instead indicates that DigiCert's processes for actually ensuring this gets done are inadequate and so some random proportion of sub-CAs may go undisclosed entirely by accident. That's not good news. [JR] No. We have a process for disclosing. We didn't issue the cert... directly. This was issued by the Belgium government, who is obligated to follow the policy themselves for all cross-signed certs. However, this isn't a cross-signed cert since it's self-signed. We've never encountered transitive trust as we don't reuse keys in our certs. This is a unique situation for us as it's a program that's long been deprecated that we haven't been able to force migration from. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
