On Tue, Jul 9, 2019 at 5:50 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> All, > > There is some confusion about disclosure of new intermediate certs that > are issued to subordinate CAs with currently valid audit statements. > > Section 5.3.2 of Mozilla's Root Store Policy says: "If the CA has a > currently valid audit report at the time of creation of the certificate, > then the new certificate MUST appear on the CA's next periodic audit > reports." > > I think it is reasonable to assume that the same policy applies to > subordinate CAs, such that if the subordinate CA has a currently valid > audit report at the time of creation of a new intermediate certificate, > then the new certificate MUST appear on the subordinate CA's next > periodic audit reports. > > The confusion is about how to disclose such a new intermediate > certificate in the CCADB. > > I propose that to handle this situation, the CA may enter the > subordinate CA's current audit statements and use the Public Comment > field to indicate that the new certificate will be included in the next > audit statements. (Also, a quick comparison of the cert's Valid-From > date and the audit period dates will indicate this situation.) > > Please let me know if you foresee any problems with this approach. > That aligns with past discussions [1][2], which resulted in similar uncontroversial proposals [3]. Wayne previously discussed the lifecycle of certificates during past CA/Browser Forum F2Fs [4][5]. With respect to [5], Wayne proposed the uncontroversial "Change #3" for the alignment of audit reports, and this would similarly align the disclosure. This is particularly important to be harmonized, given reports like [6], which provide an important signal to the community about the entities involved with issuance. Note that if the same policies do not apply to the new sub-CA, it has seemed uncontroversial that some form of new audit is required. Is that consistent with your understanding as well? [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/CAaC2a2HMiQ/IKimeW4NBgAJ [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/v8-V2D957tU/BtogJ3rECQAJ [3] https://blog.mozilla.org/security/2018/07/02/root-store-policy-updated/ [4] https://cabforum.org/2018/10/18/minutes-for-ca-browser-forum-f2f-meeting-45-shanghai-17-18-october-2018/#28-Audit-requirements-over-the-lifecycle-of-a-root [5] https://cabforum.org/2019/05/03/minutes-for-ca-browser-forum-f2f-meeting-46-cupertino-12-14-march-2019/#Audit-requirements-over-the-lifecycle-of-a-Root-CA [6] https://groups.google.com/d/msg/mozilla.dev.security.policy/7bLbgXTf5Ng/l8nmVfzEAwAJ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy