To be clear, this particular email will just be going to the CAs listed here:
https://crt.sh/mozilla-disclosures#undisclosedsummary
The intention of the email is to remind those CAs that they have an overdue action item, that needs to be completed. It is not the intention of this email to clarify policy around intermediate certificate disclosure.
> what to do about intermediate CAs which were created since the last audit.
> We should work out what to do about that, at least in the short term,
I agree that I should add a section about that to
https://wiki.mozilla.org/CA:SalesforceCommunity
I don't agree that it needs to be resolved before reminding these particular CAs about their overdue action items. If they fall into that category, then they can respond to my email stating that.
> Disclosed, but audit and CP/CPS data incomplete
To be handled differently...
I plan to add automation to Salesforce that will send email to CAs with intermediate cert data that has incomplete or outdated audit/CP/CPS information in Salesforce. (similar to the automated audit reminder emails that get sent to CAs regarding their included root certs.)
> uploading intermediates
> to the Common CA Database is an ongoing responsibility, not just a
> one-off task. This should be kind of obvious, but at least one person at
> the CAB Forum suggested it needed making more clear.
Please see
https://wiki.mozilla.org/CA:SalesforceCommunity#CA_Community_in_Salesforce
and let me know if you still think we need to add a sentence to the wiki page stating that CAs are expected to maintain this data on an ongoing basis.
> For CA certificates signed or cross signed after the June deadline,
> there is an ongoing requirement to enter them within ? calendar days
> (?? hours) after signing them, preferably earlier.
>
> For all the CA certificates entered in SalesForce, there is an ongoing
> requirement to keep the information up to date, e.g. when there are
> updates to audit reports, policy documents, ownership etc. Generally
> within ?? calendar days (??? hours) after these changes occur. In
> particular, changes of ownership should be reported as soon as they are
> operational facts, even if the legal process of ownership change has
> not yet completed.
Perhaps I need to add a section called "CA Responsibilities" to
https://wiki.mozilla.org/CA:SalesforceCommunity
Here's the current draft of the email that I plan to send to the CAs listed in
https://crt.sh/mozilla-disclosures#undisclosedsummary
~~
Subject: ACTION REQUIRED: Non-Disclosed non-technically-constrained Intermediate Certs
Dear Certification Authority,
You are receiving this email because our records indicate that there are non-technically-constrained intermediate certificates that chain up to your root certificates that are included in Mozilla’s program that have not been entered into the CA Community in Salesforce. The deadline for CAs to disclose their intermediate certificate data in the CA Community in Salesforce was June 2016. Mozilla is going to begin discussions in the mozilla.dev.security.policy forum about action to take for any remaining non-disclosed non-technically-constrained intermediate certificates and the CAs who are responsible for those CA hierarchies.
The following was stated in Mozilla’s March 2016 CA Communication (
https://wiki.mozilla.org/CA:Communications#March_2016):
Beginning with Version 2.1 of Mozilla's CA Certificate Policy, for any certificate which directly or transitively chains to the root certificates you currently have included in Mozilla's CA Certificate Program, which are capable of being used to issue new certificates, and which are not technically constrained as described in Section 9 of Mozilla's CA Certificate Inclusion Policy, you are required to provide public-facing documentation about the certificate verification requirements and annual public attestation of conformance to said requirements. This includes certificates owned by, operated by, or issued by third parties, whether or not those issuing certificates are already part of Mozilla's CA Certificate Program, if they have been cross-signed by a certificate that directly or transitively chains to your root certificate.
To facilitate this public disclosure, Mozilla is requiring that these certificates, as well as their CP/CPS and audit statements, be entered into Mozilla's CA Community in Salesforce. This includes the full PEM data of every intermediate certificate that directly or transitively chains to your included root certificates, provided that the root certificate is enabled with the Websites trust bit and the intermediate certificate is not Technically Constrained, as described in Section 9 of Mozilla's CA Certificate Inclusion Policy.
This also includes every variation of these certificates, in the event they were reissued, such as to change the contents of extensions or validity dates.
Please see
https://wiki.mozilla.org/CA:SalesforceCommunity for information about which intermediate certificate data you are expected to enter into the CA Community in Salesforce, and instructions on how to do so.
In particular, CAs must add records to the CA Community in Salesforce for all certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not Technically Constrained via Extended Key Usage and Name Constraint settings.
Intermediate certificates are considered to be technically constrained, and do not need to be added to the CA Community in Salesforce if:
- The intermediate certificate has the Extended Key Usage (EKU) extension and the EKU does not include any of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth; or
- The EKU extension in the intermediate certificate includes the anyExtendedKeyUsage or id-kp-serverAuth KeyPurposeIds, and the intermediate certificate includes the Name Constraints extension as described in section 7.1.5 of the CA/Browser Forum's Baseline Requirements; or
- The root certificate is not enabled with the Websites trust bit.
Records should also be added to the CA Community in Salesforce for revoked certificates that were capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program and were not Technically Constrained via Extended Key Usage and Name Constraint settings.
If you are still unclear about which intermediate certificates your CA still needs to disclose in the CA Community in Salesforce, you may view the data here:
https://crt.sh/mozilla-disclosures#undisclosed