On Thu, February 20, 2014 9:37 am, Ruy Ramos wrote:
> On 02/18/2014 08:28 PM, Ryan Sleevi wrote:
> > On Tue, February 18, 2014 5:28 am, Ruy Ramos wrote:
> >> On 02/15/2014 04:42 PM, David E. Ross wrote:
> >>> I noticed in the open bug reports for adding new root certificates
> >>> that
> >>> several national certification authorities are actually acting as
> >>> super
> >>> CAs without complete accountability for the operations of their
> >>> subsidiary CAs. Is the plan to eventually include the roots of the
> >>> super CAs in the NSS database? Or will only the roots of the
> >>> subsidiary
> >>> CAs be included, after the usual Mozilla review process? How will
> >>> this
> >>> be decided?
> >>>
> >>> See:
> >>> <
https://bugzilla.mozilla.org/show_bug.cgi?id=335197>
> >>> <
https://bugzilla.mozilla.org/show_bug.cgi?id=438825>
> >>> <
https://bugzilla.mozilla.org/show_bug.cgi?id=557167>
> >>>
> >> The brazilian root CA for ICP-Brasil has complete accountability for
> >> the
> >> operations of its subsidiary CAs. That is achieved by annual audit
> >> procedures take into effect by ITI, the federal agency that plays the
> >> role of Root CA of ICP-Brasil. So, in our opinion, it doesn't make
> >> any
> >> sense to include only the subsidiary CAs certificates, cause the
> >> trusted
> >> chain won't be correctly achieved without the check against the root
> >> certificates of ICP-Brasil root CA (the ITI's certificates). So, in
> >> our
> >> case, we would like very much to see the root certificates of the so
> >> called super CA (ITI root certificates) included in the NSS database.
> >> Otherwise, it won't work for the brazilian applications
> >>
> >> Ruy Ramos
> >> ITI
> >> --
> > Can you please explain what you mean by "the trusted chain won't be
> > correctly achieved"?
> >
> > Trust anchors do not need to be root certificates. So why, specifically
> > and technically, does the ICP-Brasil root need to be included?
> >
> We have as a rule validating the entire chain of certification, and any
> application that deals with a certificate will require closing the trust
> chain to the root certificate. So,
> in this case we have the complete chain or trust anchor in ICP-BRASIL
> root.
That's not required by RFC5280. A trust anchor does not need to be a
self-signed root. If you have specific applications that require that, you
should fix them.
If you're believe there are bugs in NSS's implementation that prevents
trust anchors from appearing anywhere on the chain, file bugs and we'll
fix them.
>
> Otherwise, if the option to insert intermediate or subsidiaries
> authorities is implemented, the responsibility to validate the chain is
> the browser (NSS)?!
Considering it's always the browser's responsibility to validate the
chain, I don't understand your issue here.
If you have some custom PKI client software, running for plugins or
something else that is not part of Mozilla Firefox, then I'm not
sympathetic towards your bugs, nor do I buy the argument that your bugs
should prevent Mozilla from encouraging good PKI practice.
>
> To illustrate the hierarchy of ICP-Brazil, in annex have a diagram. We
> have 13 first-level authorities and 46 second-level authorities for a
> single root CA (v2).
Sure. And those 13 first-level authorities can each apply for inclusion
within Mozilla, which is how things have currently been accomplished.
Under the Mozilla policy, each of those 13 first-level authorities and 46
second-level authorities are required to be compliant to the Mozilla
policy. As such, it should be "trivial" to demonstrate this is the case.
In practice and reality, this actually turns out to not be the case, which
is why I support Mozilla's request that the 13 first-level authorities
apply for inclusion themselves - so that it's clear to Mozilla (and the
public) whether or not ICP-Brazil is fully comforming with the Mozilla
policy throughout the PKI hierarchy.