On Tue, Mar 13, 2018 at 10:52 AM, Peter Bowen <pzbo...@gmail.com> wrote:
> On Tue, Mar 13, 2018 at 7:19 AM, Kai Engert via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > On 13.03.2018 14:59, Ryan Sleevi wrote: > >> the blog post says, the subCAs controlled by Apple and Google are > the > >> ONLY exceptions. > >> > >> However, the Mozilla Firefox code also treats certain DigiCert > subCAs as > >> exceptions. > >> > >> Based on Ryan Sleevi's recent comments on this list, I had concluded > >> that the excluded DigiCert subCAs are used to support companies > other > >> than Apple and Google. Is my understanding right or wrong? > >> > >> > >> I think your understanding is incorrect. The DigiCert SubCAs are being > >> treated as part of the Managed Partner Infrastructure (aka the consensus > >> plan), and the (cross-signed DigiCert Roots) are excluded to avoid path > >> building issues in Firefox. > > > > Your earlier explanations were very complex, and had increased my > > uncertainty about who is covered by the Managed Partner Infrastructure. > > > > In your earlier explanations, you had mentioned additional company names > > besides Apple and Google. This had given me the impression that the > > Managed Partner Infrastructure isn't limited to support the Apple and > > Google companies, but to also support other companies. > > > > > >> That is, the exclusion of those DigiCert Sub-CAs *is* the consensus plan > >> referred to - what else could it be? > >> > >> > >> Are Apple and Google really the only beneficials of the exceptions, > or > >> should the blog post get updated to mention the additional > exceptions? > >> > >> > >> Do you think the above clarifies? > > > > I hope we are close. > > > > I really wish we could bring it down to a simple yes or no question, and > > you being able to respond with a clear yes or no. > > > > Let me try again. > > > > Are the DigiCert transition CAs, which are part of the exclusion list, > > and which you say are used for "Managed Partner Infrastructure", > > strictly limited to support the needs of the Apple and Google companies? > > I'll try answering and let Ryan correct me. > > Managed Partner Infrastructure CAs are NOT strictly limited to support > the needs of Apple/Google. > > As I understand it, there are five different sets of CAs when it comes > to applying trust rules: > > 1) CAs that are not cross-signed by any of the roots owned by Symantec > as of June 2017 ("Symantec roots"). This is the majority of CAs in > the world. > > 2) Online/Non-root CAs that are cross-signed by a Symantec root and > which had their own non-Symantec audit as of June 2017 and have > current audits - this is currently a set of CAs owned by Alphabet and > Apple companies > > 3) Root CAs that are cross-signed by a Symantec root and which had > their own non-Symantec audit as of June 2017 and have current audits - > this is currently a set of root CAs that are owned by DigiCert and > that existed prior to DigiCert acquiring the Symantec roots > > 4) CAs that are cross-signed by a Symantec root which were explicitly > created for compatibility with existing clients. These are not > cross-signed by any roots that are not Symantec roots. These were > created by DigiCert are not under their DigiCert branded CAs; they are > the "Managed Partner Infrastructure" CAs. > > 5) Any CAs not covered above (that is a CAs cross-signed by a Symantec > root but not in #2, #3, or #4). > > CAs in group #2, #3, and #4 are able to continue issuing. #4 have a > maximum validity period restriction that is less than the BR maximum. > #5 CAs are not trusted for certificates issued after > 2017-12-01T00:00:00Z or before 2016-06-01T00:00:00Z. > > Does this make it clear? > Ryan, did I get this wrong? > #4 is only limited in validity if Symantec was involved/validation information was reused. As stated by DigiCert, there's been zero involvement in the validation and zero-reuse of validated information, hence, issuance times are permitted to the maximum BR allowed. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy