Hi there,
I agree, Gerv's remarks are a bit confusing with respect to the concern.
You are correct that the process of establishing a new root generally
involves the creation of a self-signed certificate, and then any
cross-signing that happens conceptually creates an 'intermediate' - so you
have a key shared by a root and an intermediate.
This is not forbidden; indeed, you can see in my recent suggestions to
Symantec/DigiCert, it can and often is the best way for both compatibility
and interoperability. Method #2 that you mentioned, while valid, can bring
much greater compatibility challenges, and thus requires far more careful
planning and execution (and collaboration both with servers and in
configuring AIA endpoints)
However, there is a criticism to be landed here - and that's using the same
name/keypair for multiple intermediates and revoking one/some of them. This
creates all sorts of compatibility problems in the ecosystem, and is thus
unwise practice.
As an example of a compatibility problem it creates, note that RFC5280
states how to verify a constructed path, but doesn't necessarily specify
how to discover that path (RFC 4158 covers many of the strategies that
might be used, but note, it's Informational). Some clients (such as macOS
and iOS, up to I believe 10.11) construct a path first, and then perform
revocation checking. If any certificate in the path is rejected, the leaf
is rejected - regardless of other paths existing. This is similar to the
behaviour of a number of OpenSSL and other (embedded) PKI stacks.
Similarly, applications which process their own revocation checks may only
be able to apply it to the constructed path (Chrome's CRLSets are somewhat
like this, particularly on macOS platforms). Add in caching of
intermediates (like mentioned in 4158), and it quickly becomes complicated.
For this reason - if you have a same name/key pair, it should generally be
expected that revoking a single one of those is akin to revoking all
variations of that certificate (including the root!)
Note that all of this presumes the use of two organizations here, and
cross-signing. If there is a single organization present, or if the
'intermediate' *isn't* intended to be a root, it's generally seen as an
unnecessary risk (for the reasons above).
Does that help explain?
> _______________________________________________
> dev-security-policy mailing list
>
dev-secur...@lists.mozilla.org
>
https://lists.mozilla.org/listinfo/dev-security-policy
>