Hi Ben,
I provided a few comments to Kathleen which she incorporated into the WIKI as guidance, but wondered if some of them should be reflected in the Mozilla policy as well. Specifically I don’t think the policy is clear that there are exactly 6 valid reasons (5 of which MUST be contained in the CRL). This is just a suggestion, nothing major
1) The policy does not explicitly prohibit the use of reason codes other than the list below for the revocation of TLS certificates. I think it should be crystal clear, the same as Kathleen’s updates to the wiki. The following reason codes are permitted in CRLs. All others are prohibited.
2) the policy does not say that CAs or Subscribers can use the unspecified reason code. I think this should be explicitly called out as a valid reason code (although, it’s not to be included into the CRL)
I’d recommend adding something like this:
TLS certificates (i.e. a certificates capable of being used for TLS-enabled servers) maybe revoked for any of the following reasons. No other reasons are permitted.
The following reason codes MUST appear in the CRL when revoked for these reasons:
** The privilegeWithdrawn reasonCode does not need to be made available to the certificate subscriber as a revocation reason option, because the use of this reasonCode is determined by the CA and not the subscriber.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com.
5.4 Precertificates
Certificate Transparency precertificates are considered by Mozilla to be a binding intent to issue a certificate, as described in section 3.1 of RFC 6962, and thus in-scope for enforcing compliance with these requirements. Thus,
· if a final certificate cannot be verified as matching a precertificate using the algorithms in RFC 6962, then two distinct final certificates are presumed to exist, and it is misissuance if the two final certificates have the same serial number and issuer, even if only one final certificate actually exists;
· if a precertificate implies the existence of a final certificate that does not comply with this policy, it is considered misissuance of the final certificate, even if the certificate does not actually exist;
· a CA must be able to revoke a certificate presumed to exist, if revocation of the certificate is required under this policy, even if the final certificate does not actually exist; and
· a CA must provide CRL and OCSP services and responses in accordance with this policy for all certificates presumed to exist based on the presence of a precertificate, even if the certificate does not actually exist.
Hi Ben,
While there is an effective date of October 1st for the CRL and OCSP profile for reason codes, does the October 1st effective date also apply for when Mozilla expects CA subscriber agreements to be updated [1]?
Thanks,
Corey
From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Ben Wilson
Sent: Wednesday, April 13, 2022 1:18 PM
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Policy 2.8: Final Review of MRSP v. 2.8
All,
--
please consider changing to:
The root CA operator is cross-signing a CA certificate of another CA operator that is currently in Mozilla’s root store, and that other CA operator:
Best regards,
Dimitris.
Hi Ben,
Here are the comments from the HARICA team:
### 5.4 Precertificates ###
Certificate Transparency precertificates are considered by Mozilla to be a binding intent to issue a certificate, as described in section 3.1 of RFC 6962, and thus in-scope for enforcing compliance with these requirements. Thus,
* if a final certificate cannot be verified as matching a precertificate using the algorithms in RFC 6962, then two distinct final certificates are presumed to exist, and it is misissuance if the two final certificates have the same serial number and issuer, even if only one final certificate actually exists;
* if a precertificate implies the existence of a final certificate that does not comply with this policy, it is considered misissuance of the final certificate, even if the certificate does not actually exist;
* a CA must be able to revoke a certificate presumed to exist, if revocation of the certificate is required under this policy, even if the final certificate does not actually exist; and
* a CA must provide CRL and OCSP services and responses in accordance with this policy for all certificates presumed to exist based on the presence of a precertificate, even if the certificate does not actually exist.
The term "final certificate" is not defined. Section 6.1.1 uses the term "end-entity". It looks a bit confusing. We understand the need to separate a "precertificate" from a "certificate" but perhaps the word "final" can be omitted.
Another nit: RFC 5280 uses the term "end entity" (without the hyphen).
Section 6.1.1
- cessationOfOperation
"the CA is made aware of any circumstance indicating that use of a fully‐qualified domain name or IP address in the certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a domain name registrant’s right to use the domain name, a relevant licensing or services agreement between the domain name registrant and the applicant has terminated, or the domain name registrant has failed to renew the domain name)."
This looks like a CA-driven revocationReason and seems to fit the privilegeWithdrawn reason better.
This third bullet, quoted above, is very similar to the other two bullets in this section for cessationofOperation ("the certificate subscriber no longer controls, or is no longer authorized to use, all of the domain names in the certificate;" "the certificate subscriber will no longer be using the certificate because they are discontinuing their website;"). Therefore, we think it fits here, too. A subscriber can make the CA aware of such circumstances, and these circumstances might not constitute a violation of the certificate subscriber agreement (the intention of privilegeWithdrawn).
- superseded
- "the CA obtains reasonable evidence that the validation of domain authorization or control for any fully‐qualified domain name or IP address in the certificate should not be relied upon; or"
- "the CA has revoked the certificate for compliance reasons such as the certificate does not comply with this policy, the CA/Browser Forum's Baseline Requirements, or the CA’s CP or CPS."
Looking at these reasons, we have very similar intent for the reason "privilegeWithdrawn". Most probably, the intent of the revocationReason is to indicate why a certificate has been revoked. Relying Parties probably don't care if a new certificate has been issued to replace a revoked one or not, but are more interested on why a particular certificate was revoked.
ITU-T X.509's description doesn't shed too much light either:
"superseded indicates that the public-key certificate has been superseded but there is no cause to suspect that the private key has been compromised."
We recommend adding these two bullets under the "privilegeWithdrawn" reason so that CAs have a "preferred" reason to indicate compliance, domain validation/authorization, subscriber violation issues.
In section 8.4:
please consider the following changes:
- The subordinate CA operator will obtain a non-technically-constrained (per section 5.3.1 of this policy) CA certificate, and the subordinate CA operator is not approved by Mozilla to issue the type of certificates (email, TLS, or EV TLS), which they will be able to issue under the new CA certificate.
- The root CA operator is cross-signing a root certificate of a CA operator who is not currently in Mozilla’s root store.
- The root CA operator is cross-signing a root certificate of another CA operator who is currently in Mozilla’s root store, but the other CA operator has been approved for different trust bits (email, TLS, or EV TLS) than those trust bits that will be recognized under the cross-signed certificate that it will be receiving.
- The subordinate CA operator will obtain an unconstrained (per section 5.3.1 of this policy) CA certificate, and the subordinate CA operator is not approved by Mozilla to issue the type of certificates (email, TLS, or EV TLS), which they will be able to issue under the new CA certificate.
- The root CA operator is cross-signing a CA certificate of a CA operator who is not currently in Mozilla’s root store.
- The root CA operator is cross-signing a CA certificate of another CA operator who is currently in Mozilla’s root store, but the other CA operator has been approved for different trust bits (email, websites), or EV, than those trust bits that will be recognized under the cross-signed certificate that it will be receiving.
Similarly, for the last bullet of the section
The root CA operator is cross-signing a root certificate of another CA operator that is currently in Mozilla’s root store, and that other CA operator:
- will only be able to issue the same type of certificate (email, TLS, or EV TLS) that they are already approved for in Mozilla’s root store; and
- will operate both the cross-signed certificate and their root certificate under the same policies, practices, and scope of audit that their root certificate was approved for. (Newer versions of policies and practices MAY be used, provided that the cross-signed CA operator follows the same versions of the policies for both the cross-signed certificate and their root certificate.)
please consider changing to:
The root CA operator is cross-signing a CA certificate of another CA operator that is currently in Mozilla’s root store, and that other CA operator:
- will only be able to issue the same type of certificate (email, TLS, or EV TLS) that they are already approved for in Mozilla’s root store; and
- will operate both the cross-signed certificate and their CA certificate(s) under the same policies, practices, and scope of audit that their CA certificate was approved for.
(Newer versions of policies and practices MAY be used, provided that the cross-signed CA operator follows the same versions of the policies for both the cross-signed certificate and their CA certificate(s).)
--Best regards,
Dimitris.
See responses below.On Tue, Apr 19, 2022 at 2:56 AM Dimitris Zacharopoulos <ji...@it.auth.gr> wrote:
Hi Ben,
Here are the comments from the HARICA team:
- superseded
- "the CA obtains reasonable evidence that the validation of domain authorization or control for any fully‐qualified domain name or IP address in the certificate should not be relied upon; or"
- "the CA has revoked the certificate for compliance reasons such as the certificate does not comply with this policy, the CA/Browser Forum's Baseline Requirements, or the CA’s CP or CPS."
Looking at these reasons, we have very similar intent for the reason "privilegeWithdrawn". Most probably, the intent of the revocationReason is to indicate why a certificate has been revoked. Relying Parties probably don't care if a new certificate has been issued to replace a revoked one or not, but are more interested on why a particular certificate was revoked.What if we combine the second and third bullets (failure of domain/IP address verification and compliance reasons) to read, "the CA has revoked the certificate because it was not issued in full compliance with this policy, the CA/Browser Forum's Baseline Requirements, or the CA’s CP or CPS."? The reason being that we want "superseded" to encompass certificate replacement situations where there has not been a Subscriber's breach (privilegeWithdrawn).
The CRLReason superseded is intended to be used to indicate when:
" * if a corresponding certificate cannot be verified as matching a precertificate using the algorithms in RFC 6962, then two distinct corresponding certificates are presumed to exist, and it is misissuance if the two corresponding certificates have the same serial number and issuer, even if only one corresponding certificate actually exists;"
See responses below.[...]
Although RFC 5280 does use "end entity certificate" (without the hyphen), the current MRSP already uses "end-entity certificate" with the hyphen, so changing it now would require that I replace it in those other places as well. Should we add this as a GitHub issue to resolve in a future version of the MRSP?
Section 6.1.1
- cessationOfOperation
"the CA is made aware of any circumstance indicating that use of a fully‐qualified domain name or IP address in the certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a domain name registrant’s right to use the domain name, a relevant licensing or services agreement between the domain name registrant and the applicant has terminated, or the domain name registrant has failed to renew the domain name)."
This looks like a CA-driven revocationReason and seems to fit the privilegeWithdrawn reason better.
This third bullet, quoted above, is very similar to the other two bullets in this section for cessationofOperation ("the certificate subscriber no longer controls, or is no longer authorized to use, all of the domain names in the certificate;" "the certificate subscriber will no longer be using the certificate because they are discontinuing their website;"). Therefore, we think it fits here, too. A subscriber can make the CA aware of such circumstances, and these circumstances might not constitute a violation of the certificate subscriber agreement (the intention of privilegeWithdrawn).
- superseded
- "the CA obtains reasonable evidence that the validation of domain authorization or control for any fully‐qualified domain name or IP address in the certificate should not be relied upon; or"
- "the CA has revoked the certificate for compliance reasons such as the certificate does not comply with this policy, the CA/Browser Forum's Baseline Requirements, or the CA’s CP or CPS."
Looking at these reasons, we have very similar intent for the reason "privilegeWithdrawn". Most probably, the intent of the revocationReason is to indicate why a certificate has been revoked. Relying Parties probably don't care if a new certificate has been issued to replace a revoked one or not, but are more interested on why a particular certificate was revoked.
What if we combine the second and third bullets (failure of domain/IP address verification and compliance reasons) to read, "the CA has revoked the certificate because it was not issued in full compliance with this policy, the CA/Browser Forum's Baseline Requirements, or the CA’s CP or CPS."? The reason being that we want "superseded" to encompass certificate replacement situations where there has not been a Subscriber's breach (privilegeWithdrawn).
ITU-T X.509's description doesn't shed too much light either:
"superseded indicates that the public-key certificate has been superseded but there is no cause to suspect that the private key has been compromised."
We recommend adding these two bullets under the "privilegeWithdrawn" reason so that CAs have a "preferred" reason to indicate compliance, domain validation/authorization, subscriber violation issues.
It seems that "privilegeWithdrawn" best fits the six bulleted items already there.
"The OCSP responder MAY provide definitive responses about "reserved" certificate serial numbers, as if there was a corresponding Certificate that matches the Precertificate [RFC6962].
A certificate serial number within an OCSP request is one of the following three options:
A certificate serial number is one of the following three options:
Hi Ben,
I believe the “Non-disclosable Intermediate Certificates” section of the “CA/Subordinate CA Checklist” Wiki page [1] should be deleted given that Mozilla is now requiring the disclosure of all TCSA certificates, regardless of technical constraints.
Thanks,
Corey
[1] https://wiki.mozilla.org/CA/Subordinate_CA_Checklist#Non-disclosable_Intermediate_Certificates
From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Ben Wilson
Sent: Wednesday, April 13, 2022 1:18 PM
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Policy 2.8: Final Review of MRSP v. 2.8
All,
Here are links helpful during your final review of version 2.8 of the Mozilla Root Store Policy (MRSP) :
Please review the changes and provide any additional comments by the end of Tuesday, April 19, 2022.
My plan is to move this version over to the Mozilla pkipolicy repository on Github, and then I'll request that it be published on Mozilla's website to replace version 2.7.1.
Thanks,
Ben
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com.
Hi Ben,
Does Mozilla allow for the inclusion of non-self-signed certificates as trust anchors? From a BR standpoint, the Root Certificate is self-signed (“Root Certificate” is defined as “The self-signed Certificate issued by the Root CA to identify itself and to facilitate verification of Certificates issued to its Subordinate CAs.”). If I recall correctly, there were historical exceptions to this, but I don’t believe there have been any recently.
If Mozilla does not allow for the inclusion of non-self-signed certificates as trust anchors, then I think the entire section can be deleted as the “intermediate” CA (relative to another PKI hierarchy, presumably “private”) can certify itself and have the self-signed certificate included in Mozilla.
Thanks,
Corey
From: Ben Wilson <bwi...@mozilla.com>
Sent: Wednesday, April 20, 2022 2:00 PM
To: Corey Bonnell <Corey....@digicert.com>
Cc: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/475eeac7-5fb2-433e-bd4e-c591593fc9ddn%40mozilla.org.
Hi Ben,
I wanted to ask a question about when revocation reasons and dates can be changed.
The current wording is:
When the CA obtains verifiable evidence of private key compromise for a certificate whose CRL entry does not contain a reasonCode extension or has a reasonCode extension with a non-keyCompromise reason, the CA SHOULD update the CRL entry to enter keyCompromise as the CRLReason in the reasonCode extension. Additionally, the CA SHOULD update the revocation date in a CRL entry when it is determined that the private key of the certificate was compromised prior to the revocation date that is indicated in the CRL entry for that certificate. Note: Backdating the revocationDate field is an exception to best practice described in RFC 5280 (section 5.3.2); however, this policy specifies the use of the revocationDate field to support TLS implementations that process the revocationDate field as the date when the certificate is first considered to be compromised.
From this, I assume that the logic needs to be:
Are you expecting CAs to update reasonCode or revocationDate in any other cases to support “TLS implementations that process the revocationDate field as the date when the certificate is first considered to be compromised”? Given RFC 5280 recommends not backdating (or changing) revocation dates, we wanted to get clear guidance for what scenarios Mozilla wants CAs to not follow the RFC5280 best practices.
If we apply the “default deny” logic to the Mozilla Policy, I believe the logic I described above is an accurate representation, so perhaps no additional changes to the policy are needed, but wanted to double check I was not missing anything.
Doug
From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Ben Wilson
Sent: Wednesday, April 13, 2022 1:18 PM
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Policy 2.8: Final Review of MRSP v. 2.8
All,
Here are links helpful during your final review of version 2.8 of the Mozilla Root Store Policy (MRSP) :
Please review the changes and provide any additional comments by the end of Tuesday, April 19, 2022.
My plan is to move this version over to the Mozilla pkipolicy repository on Github, and then I'll request that it be published on Mozilla's website to replace version 2.7.1.
Thanks,
Ben
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com.
As I understand it, the goal of this bullet point is not to add an
exception to misissuance, but to make sure that there is zero ambiguity
that incidents like the following are misissuances:
https://bugzilla.mozilla.org/show_bug.cgi?id=1677737
If the intermediate CA certificate includes the id-kp-emailProtection extended key usage, then to be considered technically constrained, it MUST include the Name Constraints X.509v3 extension with constraints on rfc822Name, with at least one name in permittedSubtrees, each such name having its ownership validated according to section 3.2.2.4 of the Baseline Requirements. The values id-kp-serverAuth and anyExtendedKeyUsage MUST NOT be present. id-kp-clientAuth MAY be present. Other values that the CA is allowed to use and are documented in the CA’s CP, CPS, or combined CP/CPS MAY be present."
In particular, the sentence "Other values that the CA is allowed to use and are documented in the CA’s CP, CPS, or combined CP/CPS MAY be present." should also be added to the paragraph for id-kp-serverAuth. Without that sentence, a "default deny" interpretation of that paragraph may lead some readers to the conclusion that other EKU values are not allowed.
Thanks,
Corey
Hi Ben,In giving the draft 2.8 policy another read, I found a potential inconsistency that should be resolved. Section 5.3.1 [1] says:"If the intermediate CA certificate includes the id-kp-serverAuth extended key usage, then to be considered technically constrained, the certificate MUST be Name Constrained as described in section 7.1.5 of version 1.3 or later of the Baseline Requirements. The id-kp-clientAuth EKU MAY also be present. The conformance requirements defined in section 2.3 of this policy also apply to technically constrained intermediate certificates.If the intermediate CA certificate includes the id-kp-emailProtection extended key usage, then to be considered technically constrained, it MUST include the Name Constraints X.509v3 extension with constraints on rfc822Name, with at least one name in permittedSubtrees, each such name having its ownership validated according to section 3.2.2.4 of the Baseline Requirements. The values id-kp-serverAuth and anyExtendedKeyUsage MUST NOT be present. id-kp-clientAuth MAY be present. Other values that the CA is allowed to use and are documented in the CA’s CP, CPS, or combined CP/CPS MAY be present."
In particular, the sentence "Other values that the CA is allowed to use and are documented in the CA’s CP, CPS, or combined CP/CPS MAY be present." should also be added to the paragraph for id-kp-serverAuth. Without that sentence, a "default deny" interpretation of that paragraph may lead some readers to the conclusion that other EKU values are not allowed.
Hi Ryan,
Comments inline.
> I don't believe this change is correct.
Well, the draft language seemingly doesn’t reflect the discussion on the associated policy thread [1]. I’d hope that even if there were a concrete prohibition (MUST NOT), it could be stated more clearly than a highly subtle “default deny” reading.
> Having a multi-purpose server-auth certificate, even if technically constrained, seems to be a significant step back. While this is permitted for email, that is hopefully only temporary, to reflect the lack of maturity and secure design in the id-kp-emailProtection CA ecosystem.
I don’t quite follow why this is a step back, as it’s simply a restatement of the status quo (i.e., no steps taken). That’s not to say there can’t be further refinements in this area, but current language does not align with the discussion on the associated policy thread, namely [2], where it was stated there is a desire to align MRSP with the TLS BRs in this regard.
[1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/n1vLLXwNbuM/m/D6oEqHXgBAAJ
[2] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/n1vLLXwNbuM/m/atOa5QoFAQAJ
Thanks,
Corey
From: Ryan Sleevi <ry...@sleevi.com>
Sent: Thursday, April 28, 2022 7:27 PM
To: Corey Bonnell <Corey....@digicert.com>
I don’t quite follow why this is a step back, as it’s simply a restatement of the status quo (i.e., no steps taken). That’s not to say there can’t be further refinements in this area, but current language does not align with the discussion on the associated policy thread, namely [2], where it was stated there is a desire to align MRSP with the TLS BRs in this regard.