"CAs MUST NOT issue certificates that have:
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZJJ4Z4QkhyX7mpuMca3JpdE-E7KhVmLQ4P7UND82oZzw%40mail.gmail.com.
> A recently-relevant example could be "an OCSP Delegated Responder without the id-pkix-ocsp-nocheck extension".
This is a good example for a BR profile violation. However, since the Mozilla Root Program also includes SMIME certificate issuance and there is currently no requirement for ocsp-nocheck to be included in OCSP Delegated Responder certificates for SMIME, this example may cause confusion.
> I think it is important to remove/improve the "SSL certificates that exclude SSL usage", given that a cert which does not have the TLSServerAuth EKU is by definition not an SSL certificate, so it's not crystal clear what the example means.
Agreed. Perhaps “SSL certificates that exclude SSL usage” can be changed to: “TLS certificates with no subjectAltName extension”
Thanks,
Corey
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErcWAsbsxRa3Di-k71GaCg_Yjn35dwp07OASYDmTYbK%3DWQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa309rMG9921WC1iaZGG4by91jyy5zXQDXXzuQJKisMPw%40mail.gmail.com.
Why “where applicable”? It’s not clear to me, and I worry that it equally may not be clear to others, particularly CAs. We definitely saw issues with interpretations about applicability in the past.
I suspect you were trying to limit which of the following clauses, but it reads as if it is limiting the situations those clauses should be considered.
Would it achieve the same goal to remove “where applicable”? Alternatively, pulling out the third and final bullet points into a separate list only for certificates?
Finally, does it make sense to add an example of a missing/incorrect extension for CRLs, like “issuing partial/scoped CRLs that lack a distributionPoint in a critical issuingDistributionPoint extension”
CAs MUST NOT issue certificates, CRLs, or OCSP responses, that have:
CAs MUST NOT issue certificates that have: