US Govt run cert-root

Paul Campbell paul at
Sun Mar 5 23:31:56 GMT 2017

Here's something that's potentially scary - a root-cert run by the US military 
- we won't do anything bad - trust us ....

From: dev-security-policy <dev-security-policy-bounces at> on behalf of Eric Mill via dev-
security-policy <dev-security-policy at>
Sent: Friday, 3 March 2017 09:45
To: dev-security-policy at
Subject: [FORGED] A new US government CA for the web PKI

Hi all,

Though we’re not at the point of filing an application for Mozilla’s root
program, I wanted to share with this community the beginnings of an effort
by the US government to start a new PKI intended for publicly trusted
certificates. This effort is being led by the General Services
Administration and the Department of Defense.

Our goal is to start a new root and set of issuing CAs that is completely
disconnected and separate from the existing Federal PKI bridge network that
members of the web PKI community may be familiar with. The existing Federal
PKI is used to issue many kinds of certificates, including those used for
enterprise devices and for government personal identity verification (PIV).

This new hierarchy would focus only on certificates intended for devices on
the internet, rather than people, and their operation and policies are
intended to adhere strictly to web PKI requirements, as expressed through
the CA/Browser Forum’s Baseline Requirements and those of various root
programs. In addition, this hierarchy is intended only to serve US
government operated devices, and so we welcome appropriately narrow name
constraints that reflect that.
While we’re still in the early stages, we are working on the root policy
documents -- including a CP, CPS, and various certificate profiles -- in
public on GitHub:

One additional thing I’d like to mention is that we’re fully in support of
the goals of Certificate Transparency. This project was initiated prior to
Chrome announcing its October 2017 CT requirement, and our intent from the
beginning has been to log 100% of issued certificates, with no special need
for redaction. As part of this, we are evaluating the possibility of
creating a new CT log that can issue SCTs considered valid by browsers for
policy enforcement.

We generally intend the issuing CAs to support automated certificate
issuance, which includes evaluating existing standard protocols. In
general, we expect to use and support open standards and open source tools
where they support the effort.

Since we’re not yet an applicant, this forum may not be the best place for
an extended discussion (though we’re happy to engage in discussion here if
people would like), but we’re actively seeking public participation and
input during the process -- issues and pull requests to the GitHub
repository above are quite welcome, and we’ll create additional repos as we
go for other parts of the project.

As we make progress, we hope to contribute positively to the web PKI and CT
ecosystem, and we plan to be engaging publicly with the community here and
other places along the way.

-- Eric

(P.S. This is my first email to the list from my work .gov address, so I'll
just quick note that that means I'm speaking in my work capacity. Emails
that are not from my work address are not speaking in my work capacity.)

Eric Mill
Senior Advisor, Technology Transformation Service, GSA
eric.mill at, +1-617-314-0966
dev-security-policy mailing list
dev-security-policy at

More information about the Discuss mailing list