On 4/4/13 3:19 AM, Erwann Abalea wrote:
> Le jeudi 4 avril 2013 11:29:22 UTC+2, Rob Stradling a �crit :
>> On 04/04/13 02:25, Kathleen Wilson wrote:
>>> On 4/3/13 9:18 AM, Erwann Abalea wrote:
>>>> That's an old thread, I know.
>>>>
>>>> Talking about technically constrained subordinate CAs, when has the
>>>> constraint about domains used in email addresses been removed?
>>>> In draft versions, it was required that the domains be set as
>>>> rfc822Name in the permittedSubTrees field of the NC extension. On the
>>>> published one, there's no technical constraint of that kind.
>>>>
>>>> Can't Thunderbird enforce such a constraint? Is it useless? Is there
>>>> any reason I missed for that constraint to have been deleted?
>> <snip>
>>
>>> I don't recall the details, but I remember that some CAs need to use
>>> business controls to constrain the email addresses to be used in S/MIME
>>> certs, because the technical control (e.g. name constraints in the
>>> subCA) was not feasible/reasonable for large enterprise customers.
>>
>> Hi Erwann. FYI, here's the thread where this issue was discussed:
>>
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/l1BAEHjKe8Q
>
> Thanks to both of you.
>
> The thread switched to update mechanism, timeframe, and CT support, and I missed the interesting part (I'm not saying the other topics aren't interesting, not at all).
>
> Am I right in my understanding:
> - it's not easy to technically constrain a subordinate CA
> which will issue email certificates to business partners, and the
> cost of such constraints isn't balanced by an equivalent benefit
> (I'm talking about risk, not money)
That is my understanding too.
> - code to verify the technical constraints will be added to
> Firefox and Thunderbird first, then migrated to NSS when successful
Actually, the code to verify the technical constraints will be (or is
already) in NSS, which is used by Mozilla products.
NSS already supports Name Constraints in intermediate certs.
My understanding is that NSS already supports the use of EKU in
intermediate certs too, but test cases may need to be added.
https://bugzilla.mozilla.org/show_bug.cgi?id=725351#c2
> - there's much more pressure (more risk) on TLS certs, so this
> use-case has been prefered
Well, that is the way my work is prioritized.
Kathleen