--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/AM8PR10MB430551044C73C395B64451499EE39%40AM8PR10MB4305.EURPRD10.PROD.OUTLOOK.COM.
I agree with Rob Stradling on this one. The potential existence of multiple certification paths means that such a certificate can make sense in some situations.
-Tim
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CALVZKwZbcnfkJJGG2CXKaoxWNg46zstk5mL%2Bq9HYKjk2VTdxsA%40mail.gmail.com.
> Is it misissuance if a CA issues a certificate where there are no viable certificate paths according to RFC 5280?
If so, is it still misissuance if a viable path later comes into existence (due to issuance of another, less-constrained subordinate CA certificate that has the same Subject and Key)? Or does it become "no longer considered misissuance"? (Or does this thought experiment suggest that it wasn't actually misissuance in the first place?)
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHH2t5hDs50Cb5zmG_wg%2BQA%2Bgj9LZ4ky96Zk0cYHZwsbTw%40mail.gmail.com.
I would have to agree with Rob here, mainly as this validation *should* be done by the consuming software/tls client.
I am not too familiar with what definition is being used for a viable path here but if "Acme Corp Issuing CA" had a TCSC certificate from a root but then had a non-constrained cert from a root that might be audited etc but not in any of the major root programs, could they issue outside of their constrained names?
My initial thoughts are that there seems to be a lot of complexity for what seems like a mostly theoretical problem that has limited risk and in a perfect world shouldn't be a problem at all because the TLS client would handle it.
Sticking to the simple case where there are no alternative certification paths, I would say that it would be reasonable to improve the policy here to disallow such useless certificates in the future. It’s not clear they serve any useful function, and the world would probably be a better place if CAs couldn’t issue them.
Someone should probably file a CABF github issue, too. It’s worth discussing there.
-Tim
From: Ryan Sleevi <ry...@sleevi.com>
Sent: Wednesday, July 21, 2021 5:16 PM
To: Tim Hollebeek <tim.ho...@digicert.com>
Cc: Ryan Hurst <ryan....@gmail.com>; Buschart, Rufus <rufus.b...@siemens.com>; dev-secur...@mozilla.org
Subject: Re: Your opinion on misissuance under name constrained ICAs
Weighing in for a Root Program (Chrome, i.e. wearing a Chrome Hat)
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20210726043030.GD27405%40hezmatt.org.
> If this is an issue that is of concern, a CA is going to need to log intermediaries in their CT logs so they can establish that there was a valid path for issuance.
Mozilla does not have a formal CT policy, but it does have CCADB. It would be reasonable to require disclosure of TCSC certificates within one week of issuance and before any end-entity certificates have been issued (i.e., the same disclosure requirements as non-technically constrained CA certificates). Requiring such disclosure would provide visibility into the ecosystem using existing mechanisms.
Thanks,
Corey
From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Phillip Hallam-Baker
Sent: Monday, July 26, 2021 1:57 AM
To: Matt Palmer <mpa...@hezmatt.org>
Cc: dev-secur...@mozilla.org
Subject: Re: Your opinion on misissuance under name constrained ICAs
This is (one of) the things we have Certificate Transparency for. It is the time machine you seek.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMm%2BLwjyMdgDnh4zeFGzV2JGmC%2BoToKmrBpcDV5fcYXgrpqhPw%40mail.gmail.com.
Hello Dimitris!
Thank you for your reply and your willingness to disclose about your experiences. I would like to understand:
1) Do you operate all the different ICAs in a central environment or is every of these ICAs operated by the said university? (for the following questions, I assume you operate them centrally).
2) To set up all those ICAs, do you use some automation? Or is everything created manually?
3) What is you experience how often do you have to modify those ICAs due to changes in the name constraints? Do you do this also outside of the regular interval for rekeying / renewale?
4) Do you involve your auditor in each of these events?
5) For each of the ICAs you must generate OCSP signer keys / certificates. Do you backup those keys and have to access the HSMs therefore physically?
6) Are there any special considerations to be done in the yearly audit?
The background to my questions is, that I would like to understand how good the processes of a CA can scale if the CA is not only maintaining a few number of TLS CAs but > 50.
With best regards,
Rufus Buschart
Siemens AG
Information Technology
Infrastructure
-----Original Message-----
From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Dimitris Zacharopoulos
Sent: Samstag, 24. Juli 2021 10:16
To: Buschart, Rufus (IT IN COR TSQ-1) <rufus.b...@siemens.com>; dev-secur...@mozilla.org
Subject: Re: Your opinion on misissuance under name constrained ICAs)
On 24/7/2021 1:54 π.μ., Buschart, Rufus wrote:
1) I would love to hear from HARICA about their experiences with their approach of having a lot of name-constrained ICAs, since thisis very different to what everybody else seems to be doing.
Hi Rufus,
What exactly are you hoping to hear? "experiences" is pretty wide
6) Are there any special considerations to be done in the yearly audit?
No. I explained the reasons why we didn't decide to allow for externally technically constrained subCAs so our audits are like any audit of unconstrained subCAs.
It is quite possible that you have identified HARICA as the CA with most technically constrained subCAs because we decided to disclose our TCSC Certificate in CCADB although the current Mozilla Policy does not require it. It's very likely that other CAs have TCSCs that have not been disclosed and could have a different approach from HARICA.
In such a case, I would also be very much interested to understand the audit scope for TCSCs and get some clarity from the Root Store managers about the expectations, since the BRs are not entirely clear on the audit scope for TCSCs.
It is quite possible that you have identified HARICA as the CA with most technically constrained subCAs because we decided to disclose our TCSC Certificate in CCADB although the current Mozilla Policy does not require it. It's very likely that other CAs have TCSCs that have not been disclosed and could have a different approach from HARICA.
Ryan S: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XsVpyOGlagE/m/MIUVYrGZAwAJ
Thank you for clarification! But you would support the overall insight: currently it is not clear from the BRGs or the Mozilla Root Store Policy if this is a misissuance or not and we should clarify it?
/Rufus
From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Ryan Sleevi
Sent: Wednesday, 4 August 2021 17:18
To: Buschart, Rufus (IT IN COR TSQ-1) <rufus.b...@siemens.com>
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHF_sUOTeea1Pb9T3VHBuAox%2B6iBijaC180wnMCNwYAUYA%40mail.gmail.com.
Thank you for clarification! But you would support the overall insight: currently it is not clear from the BRGs or the Mozilla Root Store Policy if this is a misissuance or not and we should clarify it?