On Thu, Aug 03, 2017 at 01:43:08PM -0700, Kathleen Wilson via dev-security-policy wrote: > On Thursday, August 3, 2017 at 9:49:41 AM UTC-7, Jonathan Rudenberg wrote: > > Even absent the BR-violating certificates and disclosure timeline, I > > believe this cross-sign is problematic because it appears to circumvent the > > prerequisites and process described in > > https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 for StartCom’s > > application for re-inclusion into the Mozilla root store. It’s not clear to > > me what the point of those requirements is if they can be avoided by > > obtaining cross-signatures from other CAs that are currently trusted by > > Mozilla. > > It is common practice for a CA to get cross-signed by a currently-included > CA, so their cert chain is trusted while they are going through Mozilla's > long inclusion process. This is OK, as long as the currently-included CA > ensures that the subCA follows Mozilla's Root Store Policy. > See section 5.3 of > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
I would really like to see that they have at least opened a bug to request the inclusion of that CA before it's cross-signed. It should have already all the requirements that Mozilla has for including the root CA certificate before it's cross signed. I would prefer that it's even included in the Mozilla root store before it's cross signed, or that it's been added to one of the other root stores. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
