Closed Bug 561024 Opened 16 years ago Closed 9 years ago

Require disclosure of the identities of external private sub-CAs

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: matt, Assigned: kathleen.a.wilson)

Details

Current Mozilla policies do not require root CAs to disclose the identities of their external private sub-CAs: https://groups.google.com/group/mozilla.dev.security.policy/msg/9697d2385a5884e8 The policies should be changed to require this disclosure because users need the information in order to make their own decision of whether to trust a root CA, as it has been repeatedly stated that it is their duty to do. This is being discussed in mozilla.dev.security.policy: https://groups.google.com/group/mozilla.dev.security.policy/msg/e0f4b04a2565f3a5 https://groups.google.com/group/mozilla.dev.security.policy/msg/2cc053e61ffaa2e9 https://groups.google.com/group/mozilla.dev.security.policy/msg/9ab28e7420a393c9 I an entering a bug so that the issue is not forgotten and to serve as a target for voting.
When a certificate authority uses its root certificate to sign an intermediate certificate that will have only third-party, private use, I can understand business reasons for not disclosing the customer's identity. On the other hand, such an intermediate certificate could then become a profit center for the third party if that entity decides to enter the certificate market as a vendor. I would rather see the policy exclude any root certificates that have signed certificates for third-party, private use. That would eliminate any need to disclose the identity of a non-vendor while also eliminating the risk from a third-party, private user becoming a non-verified vendor.
My second paragraph should instead read: I would rather see the policy exclude any root certificates that might be used to sign intermediate certificates for third-party, private use. The certificate authority's CP/CPS should explicitly reject the signing of such intermediate certificates. That would eliminate any need to disclose the identity of a non-vendor while also eliminating the risk from a third-party, private user becoming a non-verified vendor chaining up to a root certificate in the NSS database. This should not prevent the certificate authority from having additional root certificates specifically for signing intermediate certificates for third-party, private use; those additional root certificates simply will not be in the NSS database.
I didn't intend to move the discussion here from the newsgroup. The Mozilla community seems to prefer that discussion of issues like this one occur in newsgroups.
See: https://wiki.mozilla.org/CA:SubordinateCAcerts https://wiki.mozilla.org/CA:SalesforceCommunity https://github.com/mozilla/pkipolicy/issues/9
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
None of the Web pages cited in comment #4 address "external private sub-CAs". How then is this bug report closed?
Mozilla currently requires disclosure of non-technically-constrained subCAs, as described here: https://wiki.mozilla.org/CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F I do not have plans to require more than that, so changing this bug to wontfix. However, there is discussion ongoing in the mozilla.dev.security.policy forum, debating whether technically-constrained subCAs must also be disclosed.
Resolution: FIXED → WONTFIX
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.