Andrew Ayer filed two bugs yesterday [1] [2] that might be worthy of a bit of discussion. They both appear to be in reference to root certificates included in the Mozilla program that are cross-signed by a different TSP (CA). In both cases the TSP that signed the cross-certificate has had it audited, and disclosed it in CCADB as operating under their own CPS.
For example: TSP 1 has Root A (subject A, issuer A, public key A) included in the Mozilla root store TSP 2 has Root B (subject B, issuer B, public key B) also included in the Mozilla root store TSP 2 has signed a cross certificate (subject A, issuer B, public key A) with Root B. TSP 2 has disclosed the cross-certificate in CCADB, has it included in their audit, and asserts that it is operated under their CP/CPS. One issue, that I recall having been been previously discussed, is that TSP 1 has no way of knowing if another TSP has cross-signed one of their CA certificates, so it makes sense to require disclosure from the TSP that issued the cross-certificate. I think Andrew is asserting that the cross-certificate is really operated by the root TSP that is in control of the key-pair (TSP 1), and should be audited and disclosed as such. Should that be our policy? A secondary question is if the disclosures made by GoDaddy and Sectigo and documented the bugs filed by Andrew violate our current policies? - Wayne [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1567060 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1567061 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
