Sorry! It looks like the attachments didn't come through. Here's each chain:
Prio Statistics Facilitator_ XX.chain.pem -----BEGIN CERTIFICATE----- MIIDmTCCAz+gAwIBAgIQVUMIP1vPOWm3Rozjmb8qYzAKBggqhkjOPQQDAjBZMTUw MwYDVQQDDCxUZXN0IEFwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIENBIDYg LSBHMTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMjAxMTA1 MTc0MTU0WhcNMjExMjA1MTc0MTU0WjBEMSgwJgYDVQQDDB9QcmlvIFN0YXRpc3Rp Y3MgRmFjaWxpdGF0b3I6IFhYMRgwFgYDVQQKDA9FeHRlcm5hbCBFbnRpdHkwWTAT BgcqhkjOPQIBBggqhkjOPQMBBwNCAARFcpbRk+3269K4gP+jBR0my2KYnGwDmBY/ ruIvbV/VZkn7qPdh+de+tXMy2s374RBbwtzEcOwiSikCGQW43Y4fo4IB/DCCAfgw DAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSphcEaCuXYec3we0b6me9LYUdzhDBQ BggrBgEFBQcBAQREMEIwQAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLXVhdC5jb3Jw LmFwcGxlLmNvbS9vY3NwMDMtdGVzdGFhaWNhNmcxMDIwggEdBgNVHSAEggEUMIIB EDCCAQwGCSqGSIb3Y2QFATCB/jCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBv biB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFu Y2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29u ZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNh dGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjA2BggrBgEFBQcCARYqaHR0cHM6Ly93 d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5MBQGA1UdJQQNMAsGCSqG SIb3Y2QEEjAdBgNVHQ4EFgQUQfM6gfYThdT25wd3RxbSmuX9Ic8wDgYDVR0PAQH/ BAQDAgMIMA8GCSqGSIb3Y2QPAgQCBQAwCgYIKoZIzj0EAwIDSAAwRQIgPk1q++Hg MorAeWyxJrATByoMUCpFGBhgP3/IdCyhv+QCIQC14+ROFCD8fVRSvtJ8IpvxiR21 f3HfQ72hwcH23jEFQg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIC7zCCAnWgAwIBAgIITkSG+diMnpkwCgYIKoZIzj0EAwMwbDEgMB4GA1UEAwwX VGVzdCBBcHBsZSBSb290IENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJV UzAeFw0yMDA2MjUyMzQxMjdaFw0zNTA2MjIyMzQxMjdaMFkxNTAzBgNVBAMMLFRl c3QgQXBwbGUgQXBwbGljYXRpb24gSW50ZWdyYXRpb24gQ0EgNiAtIEcxMRMwEQYD VQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49 AwEHA0IABBPPW0nKWVaSPVxG1XqV5KCwhB5oPiwTsdxOJqxyahGTd+Og429IC5b1 /tW9pbxPdAPxCfO/ww24m2IrwNNKBpWjggESMIIBDjAPBgNVHRMBAf8EBTADAQH/ MB8GA1UdIwQYMBaAFPxG2INsH+by3N+nmReuC0RnFxtGMFMGCCsGAQUFBwEBBEcw RTBDBggrBgEFBQcwAYY3aHR0cDovL29jc3AtdWF0LmNvcnAuYXBwbGUuY29tL29j c3AwMy10ZXN0YXBwbGVyb290Y2FnMzBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8v Y3JsLXVhdC5jb3JwLmFwcGxlLmNvbS90ZXN0YXBwbGVyb290Y2FnMy5jcmwwHQYD VR0OBBYEFKmFwRoK5dh5zfB7RvqZ70thR3OEMA4GA1UdDwEB/wQEAwIBBjAQBgoq hkiG92NkBgIaBAIFADAKBggqhkjOPQQDAwNoADBlAjAosWWcj/xO+fMYIfAAt3Yj V3ixGnEV0O97PK9PxhxNVRZdG5Lel0yI5Iothth5LbUCMQD0vLB44Q71ik+5I9d1 a4gj3e3K0aAnxIbtS4wkImFsVkJf+isQQ/qg6Cewy1/qy/s= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICTDCCAdOgAwIBAgIIeDYL9LfItrAwCgYIKoZIzj0EAwMwbDEgMB4GA1UEAwwX VGVzdCBBcHBsZSBSb290IENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJV UzAeFw0xNTA0MjIwMzE3NDRaFw00MDEyMjYwMzEzMzdaMGwxIDAeBgNVBAMMF1Rl c3QgQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0 aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMw djAQBgcqhkjOPQIBBgUrgQQAIgNiAASpGmM077ymitYqajgi6SWt2iigScVk/l2R w2z3meS65CpfYdK/O2yoYRG14Gb3IhGGl13DuhttVX/Q+YDg/9kFrVpbvzp6pwlS GjF/DKLoEPU208jqoFsKKIUwKF+U9pSjQjBAMB0GA1UdDgQWBBT8RtiDbB/m8tzf p5kXrgtEZxcbRjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAKBggq hkjOPQQDAwNnADBkAjAaFDgk/7QIy+rJO9rMgvPZDdErbr8fxBUURN+Ym9fduhu+ T58XpNICdZB9dsyTFi8CMALX2gu+3T3t+aMGkKlYvWt8fOXFTg5EopQvtASazZtp jSrGHVj/4zK22z40/2dw8Q== -----END CERTIFICATE----- Prio Statistics Public Health Authority_ XX.chain.pem -----BEGIN CERTIFICATE----- MIIDpjCCA0ugAwIBAgIQZWCtfLnEJ/nLAn8jf4PvZTAKBggqhkjOPQQDAjBZMTUw MwYDVQQDDCxUZXN0IEFwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIENBIDYg LSBHMTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMjAxMTA1 MTc0NjMxWhcNMjExMjA1MTc0NjMxWjBQMTQwMgYDVQQDDCtQcmlvIFN0YXRpc3Rp Y3MgUHVibGljIEhlYWx0aCBBdXRob3JpdHk6IFhYMRgwFgYDVQQKDA9FeHRlcm5h bCBFbnRpdHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATz+VjB1rJUlyBpG2GU zgHDxmPxlU/OUC7h1G0t2eJ+1p6YJAoKjb5StyMr1xG56jXh1hMNO2gIjR4fKLWs 0iLDo4IB/DCCAfgwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSphcEaCuXYec3w e0b6me9LYUdzhDBQBggrBgEFBQcBAQREMEIwQAYIKwYBBQUHMAGGNGh0dHA6Ly9v Y3NwLXVhdC5jb3JwLmFwcGxlLmNvbS9vY3NwMDMtdGVzdGFhaWNhNmcxMDIwggEd BgNVHSAEggEUMIIBEDCCAQwGCSqGSIb3Y2QFATCB/jCBwwYIKwYBBQUHAgIwgbYM gbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1 bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0 ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBh bmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjA2BggrBgEFBQcC ARYqaHR0cHM6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5MBQG A1UdJQQNMAsGCSqGSIb3Y2QEEjAdBgNVHQ4EFgQUtU8ZKOoMjTH7wC/dbwzyADjn PmcwDgYDVR0PAQH/BAQDAgMIMA8GCSqGSIb3Y2QPAwQCBQAwCgYIKoZIzj0EAwID SQAwRgIhANujqz+wx8Aoyp3/dZZ1sxEezPzJyA42SC15i46ImRMrAiEAqhOjoDKf /IAN+Qz0hKmHcIi3SErOWTgR1Fffn5cZVfE= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIC7zCCAnWgAwIBAgIITkSG+diMnpkwCgYIKoZIzj0EAwMwbDEgMB4GA1UEAwwX VGVzdCBBcHBsZSBSb290IENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJV UzAeFw0yMDA2MjUyMzQxMjdaFw0zNTA2MjIyMzQxMjdaMFkxNTAzBgNVBAMMLFRl c3QgQXBwbGUgQXBwbGljYXRpb24gSW50ZWdyYXRpb24gQ0EgNiAtIEcxMRMwEQYD VQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49 AwEHA0IABBPPW0nKWVaSPVxG1XqV5KCwhB5oPiwTsdxOJqxyahGTd+Og429IC5b1 /tW9pbxPdAPxCfO/ww24m2IrwNNKBpWjggESMIIBDjAPBgNVHRMBAf8EBTADAQH/ MB8GA1UdIwQYMBaAFPxG2INsH+by3N+nmReuC0RnFxtGMFMGCCsGAQUFBwEBBEcw RTBDBggrBgEFBQcwAYY3aHR0cDovL29jc3AtdWF0LmNvcnAuYXBwbGUuY29tL29j c3AwMy10ZXN0YXBwbGVyb290Y2FnMzBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8v Y3JsLXVhdC5jb3JwLmFwcGxlLmNvbS90ZXN0YXBwbGVyb290Y2FnMy5jcmwwHQYD VR0OBBYEFKmFwRoK5dh5zfB7RvqZ70thR3OEMA4GA1UdDwEB/wQEAwIBBjAQBgoq hkiG92NkBgIaBAIFADAKBggqhkjOPQQDAwNoADBlAjAosWWcj/xO+fMYIfAAt3Yj V3ixGnEV0O97PK9PxhxNVRZdG5Lel0yI5Iothth5LbUCMQD0vLB44Q71ik+5I9d1 a4gj3e3K0aAnxIbtS4wkImFsVkJf+isQQ/qg6Cewy1/qy/s= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICTDCCAdOgAwIBAgIIeDYL9LfItrAwCgYIKoZIzj0EAwMwbDEgMB4GA1UEAwwX VGVzdCBBcHBsZSBSb290IENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJV UzAeFw0xNTA0MjIwMzE3NDRaFw00MDEyMjYwMzEzMzdaMGwxIDAeBgNVBAMMF1Rl c3QgQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0 aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMw djAQBgcqhkjOPQIBBgUrgQQAIgNiAASpGmM077ymitYqajgi6SWt2iigScVk/l2R w2z3meS65CpfYdK/O2yoYRG14Gb3IhGGl13DuhttVX/Q+YDg/9kFrVpbvzp6pwlS GjF/DKLoEPU208jqoFsKKIUwKF+U9pSjQjBAMB0GA1UdDgQWBBT8RtiDbB/m8tzf p5kXrgtEZxcbRjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAKBggq hkjOPQQDAwNnADBkAjAaFDgk/7QIy+rJO9rMgvPZDdErbr8fxBUURN+Ym9fduhu+ T58XpNICdZB9dsyTFi8CMALX2gu+3T3t+aMGkKlYvWt8fOXFTg5EopQvtASazZtp jSrGHVj/4zK22z40/2dw8Q== -----END CERTIFICATE----- On Thursday, November 12, 2020 at 7:17:57 AM UTC-8, Bailey Basile wrote: > Hi, all, > > Thank you for your feedback on this project. In order to address your > comments, we have adjusted our design and implementation so that > publicly-trusted certificates are no longer used and have modified our use of > Certificate Transparency. > > All certificates for encrypting data for Prio will be issued by Apple to the > processors under our “semi-private” roots (i.e. https://crt.sh/?id=1160190 > <https://crt.sh/?id=1160190>, https://crt.sh/?id=12727249 > <https://crt.sh/?id=12727249>, https://crt.sh/?id=12728973 > <https://crt.sh/?id=12728973>). These certificates will have a Key Usage of > Key Agreement and an Extended Key Usage containing an Apple OID > (1.2.840.113635.100.4.18). The Common Name will contain an entity name > (expected to be an ISO 3166 country or region code, but will be defined by > Apple during configuration of the processor) for the benefit of users > reviewing the keys and certificates used to encrypt their data. > > Attached are certificate chains issued from our test roots under these > profiles. > > > The production certificates will include SCTs from CT logs usable on Apple’s > platforms. In order to address concerns about the future direction of the CT > ecosystem, Apple clients will maintain two distinct log lists of qualified > logs — those that are permitted for TLS only and those that allow other EKUs. > These new certificates will be qualified against the latter list, while TLS > certificates will continue to be qualified against the former. Today these > lists are the same, but we expect them to diverge as the CT ecosystem > progresses. > > Thanks, > > Bailey _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
