On 15 Nov 2022 at 00:33 Ben Wilson <
bwi...@mozilla.com> wrote:
> This discussion thread relates to the GitHub Mozilla PKI Policy Issue #249.
>
> Here are the currently proposed changes to item 7 of Mozilla Root Store Policy (MRSP) section 3.3:
>
> Effective December 31, 2022, CA operators SHALL maintain links in their online repositories to all reasonably available historic older versions of each CPs and CPSes (or CP/CPSes) from the creation of included CAs, regardless of changes in ownership or control of such the root CAs, until the entire root CA certificate hierarchiesy (i.e. end entity certificates, intermediate CA certificates, and cross-certificates) operated in accordance with such documents are is no longer trusted by the Mozilla root store.
I'm having trouble grasping when a CA may stop maintaining those
links. As I asked earlier in [0], when is the CA certificate hierarchy
of such documents no longer considered trusted by the Mozilla Root
Store?
It seems to me that the usage of cross-certificates would make it
highly unlikely for a whole hierarchy to become no longer trusted,
because cross-certificates for replacement roots are fairly common and
each of those grows the hierarchy of a CA and delays the expiration of
the whole hierarchy by the replacement root's lifetime.
As example:
Root R1,expired
. ^- X-signed R2, R2 is in root store
. . ^- X-signed R3, trust from R2
. . . ^- Intermediate ICA1, trusted from R2 through R3, technically in
the hierarchy of both R2 and R1.
. . . . ^- Leaf Certificate
Can the CPs, CPSs and CP/CPSs that cover R1 before R2 was created be
deleted? Or those that cover R1 before R3 was created?
ICA1 is trusted, as is the Leaf Certificate, and the certificates are
part of the hierarchy of R3, which is part of R2's, which is part of
R1's, right? Then isn't Leaf Certificate also part of R1's hierarchy,
thus requiring CAs to maintain the documents forever, or start a new
root without cross-certificates to any old roots?
Kind regards,
Matthias van de Meent
[0]
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/JnNgyxhBiZo/m/r54RxJhLAgAJ