info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Where are the lists of public disclosed subCAs?
95 views
Skip to first unread message
Matthew Pun
May 2, 2015, 1:36:30 PM5/2/15
to mozilla-dev-s...@lists.mozilla.org
The Mozilla CA Certificate Policy requires that all subordinate CAs which chains to Mozilla-accepted root CAs be technically constrained or publicly disclosed and audited. Regarding public disclosure, it further specifies that:
"The Certificate Policy or Certification Practice Statement of the CA that has their certificate included in Mozilla's CA Certificate Program must specify where on that CA's website all such public disclosures are located."
I checked several large CAs, which all have unconstrained subCAs, and could not find such a statement in their CPS or CP.
CyberTrust (https://cybertrust.omniroot.com/repository) does not appear to have disclosed its subCAs anywhere.
GeoTrust (https://www.geotrust.com/resources/repository/legal) has disclosed its subCAs in a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1019860).
Comodo (https://www.comodo.com/about/comodo-agreements.php) and Entrust (http://www.entrust.net/CPS) have disclosed the list on their
web sites but does not refer to the disclosure in their CPS/CP.
Are these not violations of Mozilla policy? Or am I missing something?
"The Certificate Policy or Certification Practice Statement of the CA that has their certificate included in Mozilla's CA Certificate Program must specify where on that CA's website all such public disclosures are located."
I checked several large CAs, which all have unconstrained subCAs, and could not find such a statement in their CPS or CP.
CyberTrust (https://cybertrust.omniroot.com/repository) does not appear to have disclosed its subCAs anywhere.
GeoTrust (https://www.geotrust.com/resources/repository/legal) has disclosed its subCAs in a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1019860).
Comodo (https://www.comodo.com/about/comodo-agreements.php) and Entrust (http://www.entrust.net/CPS) have disclosed the list on their
web sites but does not refer to the disclosure in their CPS/CP.
Are these not violations of Mozilla policy? Or am I missing something?
Richard Barnes
May 2, 2015, 6:48:51 PM5/2/15
to Matthew Pun, mozilla-dev-s...@lists.mozilla.org
Hey Matthew,
I believe We are in the process of collecting this information from CAs.
But there's probably a good meta point here, that we should have
effective dates for Mozilla policies, just like the BRs.
--Richard
Sent from my iPhone. Please excuse brevity.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
I believe We are in the process of collecting this information from CAs.
But there's probably a good meta point here, that we should have
effective dates for Mozilla policies, just like the BRs.
--Richard
Sent from my iPhone. Please excuse brevity.
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
Kurt Roeckx
May 2, 2015, 7:09:59 PM5/2/15
to Richard Barnes, mozilla-dev-s...@lists.mozilla.org, Matthew Pun
On Sat, May 02, 2015 at 06:48:44PM -0400, Richard Barnes wrote:
> Hey Matthew,
>
> I believe We are in the process of collecting this information from CAs.
I understand that this is being collected in SalesForce and that
> Hey Matthew,
>
> I believe We are in the process of collecting this information from CAs.
as some point we should be able to get that list.
In the current form it's not at all useful.
Kurt
Clint Wilson
May 2, 2015, 8:40:59 PM5/2/15
to mozilla-dev-s...@lists.mozilla.org
If the information in the responses from May 2014 isn't also reflected in the CPS/CP, that may indeed be a violation of Mozilla policy on some level.
As others have said, Mozilla is also actively collecting up to date information about subCAs. Though not the CA's CPS/CP, these annual (I think) surveys do still give some idea of what subCAs each CA has and provides a secondary point of disclosure.
For the responses collected in May 2014, refer to the spreadsheet here: https://docs.google.com/spreadsheets/d/1v-Lrxo6mYlyrEli_wSpLsHZvV5dJ_vvSzLTAMfxI5n8/pubhtml
(I also duplicated the data from the first sheet above in a public spreadsheet which you can easily save a copy of here: https://docs.google.com/spreadsheets/d/1O0bGml-bR71YaHM8eiF7j-p0q7gBg2s5rJ7ZVDwLzBg/edit?usp=sharing)
As this information is collected/disclosed, Mozilla typically posts it to their CA:Communications wiki page: https://wiki.mozilla.org/CA:Communications
As others have said, Mozilla is also actively collecting up to date information about subCAs. Though not the CA's CPS/CP, these annual (I think) surveys do still give some idea of what subCAs each CA has and provides a secondary point of disclosure.
For the responses collected in May 2014, refer to the spreadsheet here: https://docs.google.com/spreadsheets/d/1v-Lrxo6mYlyrEli_wSpLsHZvV5dJ_vvSzLTAMfxI5n8/pubhtml
(I also duplicated the data from the first sheet above in a public spreadsheet which you can easily save a copy of here: https://docs.google.com/spreadsheets/d/1O0bGml-bR71YaHM8eiF7j-p0q7gBg2s5rJ7ZVDwLzBg/edit?usp=sharing)
As this information is collected/disclosed, Mozilla typically posts it to their CA:Communications wiki page: https://wiki.mozilla.org/CA:Communications
0 new messages