1955386 - Transitive Trust Report

Status: NEW

(CA Program :: Common CA Database, enhancement)

Description

[Clint Wilson]

CAs may, at times, cross-certify their Root CAs with the keys of other Root CAs. Generally, doing so requires permission from Root Programs -- though not always.

Cross-certification may alter the effective trust bits of a given Root CA's key depending on the profile used for the cross-certified subordinate CA and the trust bits associated with the signing Root CA's key, up to and including a Root CA's key becoming trusted by a Root Store which does not directly include that Root CA.

In order to better highlight these occurrences, a report should be created which identifies instances of altered trust of a Root CA due to the cross-certification of that Root CA's key by another Root CA. In particular, this report should enable easy identification of Root CAs which are only transitively trusted by participating Root Stores due to a cross-certification. Providing clarity when that transitive trust is within a given CA Owner's hierarchy versus a transitive trust resulting from one CA Owner's hierarchy cross-certifying some part of another CA Owner's hierarchy would be valuable in this context.
Secondarily, it would be helpful if such a report enabled straightforward identification of Root CAs whose associated/derived trust bits are different than the trust bits directly tied to the Root CA and what those differences are.

crt.sh provides similar reports and this ER would be helpful to ensure that the logic and interpretation of the impacts of cross-certification are consistent within the ecosystem.