Policy 2.8: MRSP Issue 195: Require public discussion when an organization receives a new subCA

194 views
Skip to first unread message

Ben Wilson

unread,
Jan 21, 2022, 9:57:21 PM1/21/22
to dev-secur...@mozilla.org
All,

This email introduces public discussion regarding additions/clarifications to be included in the next version of the Mozilla Root Store Policy (MSRP), version 2.8, to be published this year. (See https://github.com/mozilla/pkipolicy/labels/2.8)

Github Issue #195 proposes that we clarify that public discussion is required when a new CA operator (not previously part of the Mozilla Program) obtains a sub CA that is not technically constrained.

Here is some draft language for discussion. It would add to MRSP Section 7.1, after "We will make such decisions through a public process.", the following:

This public-review-and-discussion process SHALL also occur for any CA operator obtaining an unconstrained CA certificate that has not previously undergone such process, regardless of when the unconstrained CA certificate was obtained. This includes CA operators with intermediate CAs that are currently trusted by Mozilla even though they do not have root CAs trusted by Mozilla (i.e. there is no "bootstrapping" or "grandfathering" for CA operators who have not previously undergone a public-review-and-discussion process by Mozilla).


We welcome your comments and suggestions.

Thanks,

Ben Wilson
Mozilla Root Program

Ben Wilson

unread,
Feb 11, 2022, 6:13:53 PM2/11/22
to dev-secur...@mozilla.org
All,

Here is another version of the proposed change to more clearly address Issue #195 (require public discussion when an organization receives a new subCA). https://github.com/BenWilson-Mozilla/pkipolicy/commit/635b59a381e1b0087cc2fc0804e80173a766e9e6

Even though version 2.8 of Mozilla Root Store Policy has not yet been adopted, CA operators accepted in the Mozilla program should already be aware of this existing wiki page concerning the creation of unconstrained intermediate CAs:  https://wiki.mozilla.org/CA/External_Sub_CAs_not_Technically_Constrained. Therefore, I do not believe we need to specify a later effective date for this change. If there are problems or concerns with this approach, then please let me know.

These recent proposed changes are to help ensure that we have adequate bandwidth to handle the public discussions that we expect to have for the issuance of new CA certificates. However, despite this new language, we may still review the intermediate CA certificates of third party CA operators with existing non-technically constrained intermediate CAs who haven't undergone a public discussion and later decide to have public discussions concerning such CA operators.
 
Thanks,

Ben


Ben Wilson

unread,
Mar 18, 2022, 5:14:00 PM3/18/22
to dev-secur...@mozilla.org
All,

As a follow-up to the previous post in this thread, I'm looking to streamline the public review process by addressing replacement CA certificates.

Currently, a key phrase in the wiki page (https://wiki.mozilla.org/CA/External_Sub_CAs_not_Technically_Constrained) is "The process outlined herein applies to root CA operators intending to sign a new subCA certificate that will grant the subCA operator the ability to issue certificates that they were not previously capable of issuing."

I intend to clarify this in both the MRSP v.2.8 and the wiki page with language that allows replacement of existing CA certificates without requiring the public discussion process.

For discussion purposes, let's assume that in 2020, the Root CA operator issued an unconstrained four-year CA certificate to an externally operated CA operator that has not previously been through a public discussion process. Now suppose that the same Root CA operator is about to issue a new, nearly-identical CA certificate to the same third-party CA operator. Under this new proposal, that issuance would be allowed without requiring public discussion. (Public discussion would occur later when a different CA-certificate-issuance situation presented itself with respect to that CA operator.) 

Under this proposal, the change to section 7.1 of MRSP v.2.8 would read:

A public-review-and-discussion process, defined in [Process for Review and Approval of Externally Operated Subordinate CAs], SHALL occur whenever a CA operator has not previously undergone such process for the type of certificate to be issued and the CA operator will obtain a new unconstrained CA certificate with new issuance capabilities.   

For clarity, CA operators with intermediate CAs that are currently trusted because of having been signed by root CAs trusted by Mozilla are subject to this requirement. However, this process is not required when:

·        the CA operator has already undergone the public-review-and-discussion process for the type of certificate to be issued;

·        new certificate-issuance capabilities are not being introduced;

·        both CA operators are already in the Mozilla root program for the type of certificate to be issued; or

·        the new CA certificate will be issued with the same issuance capabilities by the same root CA to replace a CA certificate that was issued prior to [date].


Also, the following part of the wiki page, https://wiki.mozilla.org/CA/External_Sub_CAs_not_Technically_Constrained, would be modified so that it is identical to proposed MRSP change: 

The process outlined herein is not required when:

·        the CA operator has already undergone the public-review-and-discussion process for the type of certificate to be issued;

·        new certificate-issuance capabilities are not being introduced;

·        both CA operators are already in the Mozilla root program for the type of certificate to be issued; or

·        the new CA certificate will be issued with the same issuance capabilities by the same root CA to replace a CA certificate that was issued prior to [date].


Thoughts?

Thanks,

Ben  

 
Reply all
Reply to author
Forward
0 new messages