This issue was brought up in the thread that kicked off the 2.6 root store policy update [1]. Mozilla policy section 5.3.2 requires CAs to disclose new unconstrained intermediate CA certificates within one week of creation. Section 8 covers [in my opinion] transfers of roots but not intermediates. This leaves a loophole for a CA to create a new intermediate CA certificate, then transfer it without notice or approval. This problem also applies to cross-signatures from one CA to another.
I am aware of three potential solutions: 1. In section 5.3.2, require CAs to also disclose a change in the ownership or control of an unconstrained intermediate CA certificate within one week of the change. 2. Modify section 8 to explicitly include transfers of trust via intermediate CA certificates and cross signatures. Under section 8.1, this would require notice and approval: If the receiving or acquiring company is new to the Mozilla root program, > there MUST be a public discussion regarding their admittance to the root > program, which Mozilla must resolve with a positive conclusion before > issuance is permitted. > 3. Require organizations that are receiving subordinate CA certificates to go through the whole Mozilla inclusion process as if they were applying for a new root. I would appreciate everyone's input on this topic. This is: https://github.com/mozilla/pkipolicy/issues/122 [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/ xGGGaI1_uo0/POMANRWRAAAJ ------- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy