> I'm wordsmithing item 7 under MRSP section 3.3. Draft language is: "7. Effective December 31, 2022, CA operators SHALL maintain links in their online repositories to all reasonably available historic versions of CPs and CPSes (or CP/CPSes) from the creation of included CAs, regardless of changes in ownership or control of such CAs, until the entire CA certificate hierarchies (i.e. end entity certificates, intermediate CA certificates, and cross-certificates) operated in accordance with such documents are no longer trusted by the Mozilla root store."
I've had this thought before, but how does this hierarchy qualifier work?
I can think of a cross-signing chain in which a root cross-signs a
replacement root, which then has their own cross-signed replacement,
etc., resulting in a hierarchy of certificates of which the initial
root has long expired but newer roots (and leaf certificates) still
are trusted.
For example:
Root R1,expired
^- X-signed R2, R2 is in root store
^- X-signed R3, trust from R2
^- Intermediate CA, trust from R2 through R3, technically in
hierarchy of R2 and R1.
^- Leaf Certificate
The hierarchy of R1 still is partially trusted, but it itself is not
trusted anymore. Would the CA operator need to retain the CP/CPSes for
that R1?
Wouldn't a qualifier for "valid certificate paths" be useful here to
exclude expired and/or revoked (cross) CAs from the hierarchy?
Kind regards,
Matthias van de Meent