I'm an idiot. The discussion wasn't meant to be a red herring. Just a momentary lapse in intelligence...
It really looks like this from a validation perspective, right? EE -> Self-signed -> Issuing CA (as it has the same key) -> Digicert Root Yeah - I agree it should have been disclosed. Apologies for the confusion. -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Nick Lamb via dev-security-policy Sent: Tuesday, July 4, 2017 2:05 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert policy violation - non-disclosure of https://crt.sh/?id=160110886 On Tuesday, 4 July 2017 02:37:36 UTC+1, Jeremy Rowley wrote: > [JR] Well yeah - but this one is self-signed and self-issued, so how > does it chain? This seems to be a source of confusion for a lot of people, several people have posted queries about it to Stack Overflow or its sister Q&A systems over the years too. It chains because the Issuer is also the Subject of a (different) trusted, certificate. To decide whether a certificate chains we don't need to look at its Subject at all, even if the Subject is itself. The self-signed, self-issued certificate is a loop in the PKI graph. But just because it's a loop very much does NOT mean that it isn't connected to the rest of the graph, nor does it mean that client software trying to make a chain should give up and decide it's a root. In fact some systems (I believe including in the Web PKI) already rely on being able to get pst the loop if it's presented as an intermediate. I'm glad that transitivity was a red herring and in fact your understanding of what is to be disclosed lines up with everybody else's except for this blind spot about self-signed certificates. The Belgian government seems to have understood that this certificate was to be treated like any other trusted certificate, it was for example listed in their audit documents, the only oversight was that it wasn't disclosed to Mozilla via the common database. As I said, I believe this is a process shortcoming, and I grasp that you don't feel this is directly DigiCert's responsibility, but of course the Belgian government is not a root programme member, so DigiCert ends up answering for what they do here on m.d.s.policy. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
