Seeing no additional comments, I've gone ahead and added this change to the 2.6 branch of the policy: https://github.com/mozilla/pkipolicy/commit/7a33f1d065733c19b6030261c1a11f860c30dc10
- Wayne On Tue, Apr 24, 2018 at 6:02 PM, Wayne Thayer <wtha...@mozilla.com> wrote: > On Tue, Apr 24, 2018 at 9:21 AM, Ryan Sleevi <r...@sleevi.com> wrote: > >> >> >> On Mon, Apr 23, 2018 at 6:12 PM, Wayne Thayer via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> I'm re-sending this with the subject tagged as a 'policy 2.6 proposal' in >>> case anyone missed it the first time. >>> >>> I am leaning toward option 2 as the best solution. The scope of section 8 >>> could be updated to state the following: >>> >>> CAs SHOULD NOT assume that trust is transferable. All CAs whose >>> certificates are included in Mozilla's root program MUST notify Mozilla >>> if: >>> >>> * ownership or control of the CA’s included certificate(s) changes; or, >>> * the CA creates an unconstrained intermediate certificate as defined in >>> section 5.3.2 that is controlled by another organization; or, >>> * ownership or control of the CA's unconstrained intermediate >>> certificate(s) changes; or, >>> * ownership or control of the CA’s operations changes; or, >>> * there is a material change in the CA's operations. >>> >>> >>> This would then explicitly require CAs who create or transfer an >>> unconstrained intermediate certificate to a 3rd party to obtain approval >>> and meet the other requirements outlined in section 8. >>> >>> I would appreciate everyone's comments on this proposed change. >>> >> >> Apologies if I'm missing something, but I'm curious how this would cover >> the case of: >> >> Org A - "TSP" operating a singular root certificate in the Mozilla program >> Org B - "TSP" operating a single signed intermediate from Org A's Root >> Certificate >> Org C - "TSP" operating a single signed intermediate from Org B's >> "Intermediate Certificate" >> Org D - A new TSP >> >> My understanding is that the proposed language would address the >> situation if Org B transferred control to org D, but I'm struggling to see >> where/how it would require Org C to be subject to that if they transferred >> to Org D. >> >> Good point. How about combining the two bullets from my earlier proposal > as follows: > > CAs SHOULD NOT assume that trust is transferable. All CAs whose > certificates are included in Mozilla's root program MUST notify Mozilla if: > > * an organization other than the CA obtains control of an unconstrained > intermediate certificate (as defined in section 5.3.2) that directly or > transitively chains to the CA's included certificate(s); or, > > The ambiguity that I struggle with comes from "control of the CA's" (in >> the third bullet) that seems subject to "All CAs whose certificates are >> included in Mozilla's root program" in the intro. It would seem it would >> only bind the Org A relationship, not Org B's. >> >> In this regard, 5.3.2 is slightly less ambiguous, as it governs "All >> certificates that are capable of being used to issue new certificates, and >> which directly or transitively chain to a certificate included in Mozilla’s >> CA Certificate Program," >> >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy