On Tue, Mar 13, 2018 at 10:19 AM, Kai Engert via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 13.03.2018 14:59, Ryan Sleevi wrote: > > the blog post says, the subCAs controlled by Apple and Google are the > > ONLY exceptions. > > > > However, the Mozilla Firefox code also treats certain DigiCert > subCAs as > > exceptions. > > > > Based on Ryan Sleevi's recent comments on this list, I had concluded > > that the excluded DigiCert subCAs are used to support companies other > > than Apple and Google. Is my understanding right or wrong? > > > > > > I think your understanding is incorrect. The DigiCert SubCAs are being > > treated as part of the Managed Partner Infrastructure (aka the consensus > > plan), and the (cross-signed DigiCert Roots) are excluded to avoid path > > building issues in Firefox. > > Your earlier explanations were very complex, and had increased my > uncertainty about who is covered by the Managed Partner Infrastructure. > > In your earlier explanations, you had mentioned additional company names > besides Apple and Google. This had given me the impression that the > Managed Partner Infrastructure isn't limited to support the Apple and > Google companies, but to also support other companies. > OK, I think the confusion is what Managed Partner Infrastructure is. There is Apple. There is Google. There is the Managed Partner Infrastructure. These are three, separate things from the point-of-view of the Consensus plan. That consensus document, unchanged since the announcement, is https://docs.google.com/document/d/1Yd079EsKQ-QawTvWgjIfrCV6d0NNlwoS1ftB0MaJkBc/edit > Are the DigiCert transition CAs, which are part of the exclusion list, > and which you say are used for "Managed Partner Infrastructure", > strictly limited to support the needs of the Apple and Google companies? No. Apple is Apple. Google is Google. DigiCert is running the Managed Partner Infrastructure from the consensus plan, using the two transition CAs, in addition to the two pre-existing roots participating in Mozilla's root store. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
