All,
This email opens up discussion of our proposed resolution of GitHub Issue #250.
Currently, MRSP section 5.3.2 (Intermediate CA Certificates must be publicly disclosed and audited) requires that all types of intermediate CAs capable of issuing server certificates and email certificates be disclosed in the CCADB. (Other root stores may have their own requirements about reporting other types of CAs – e.g. document-signing, code-signing, etc., so this discussion is not about CCADB disclosure for those types of CAs.)
Last year, we added language that required CCADB reporting of name-constrained CAs with the following language, “Name-constrained CA certificates that are technically capable of issuing working server or email certificates that were exempt from disclosure in previous versions of this policy MUST be disclosed in the CCADB prior to July 1, 2022.” Our intent at that time was that it also included CA certificates that have been revoked but not yet expired. (One of several reasons for requiring disclosure of revoked CAs is that we use this information for OneCRL.) However, there was some confusion last year about this intention because a revoked CA is not “technically capable of issuing working server or email certificates.” See discussion - https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XM7hWqmqmPw/m/MEVlq7REAAAJ
-----MRSP Proposal Begin-----
The operator of a CA certificate included in Mozilla’s root store MUST publicly disclose in the CCADB all CA certificates they issue that chain up to that CA certificate trusted in Mozilla’s root store that are technically capable of issuing working server or email certificates, including such CA certificates that are revoked but not yet expired and those CA certificates that share the same key pair whether they are self-signed, doppelgänger, reissued, cross-signed, or other roots. The CA operator with a certificate included in Mozilla’s root store MUST disclose such CA certificate within one week of certificate creation, and before any such CA is allowed to issue certificates. Name-constrained CA certificates that are technically capable of issuing working server or email certificates that were exempt from disclosure in previous versions of this policy MUST also be disclosed in the CCADB.
-----MRSP Proposal End-----
Please review this proposal and provide questions or comments here in this thread.
Thanks,
Ben and Kathleen