info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Policy 2.6 Proposal: Decide how policy applies to certs under TCSCs
85 views
Skip to first unread message
Wayne Thayer
Apr 17, 2018, 2:20:47 PM4/17/18
to mozilla-dev-security-policy
Section 5.3 of Mozilla policy states:
All certificates that are capable of being used to issue new certificates,
> and which directly or transitively chain to a certificate included in
> Mozilla’s CA Certificate Program, MUST be operated in accordance with this
> policy and MUST either be technically constrained or be publicly disclosed
> and audited.
>
This could be interpreted as exempting technically constrained subordinate
CA certificates from the self-audit requirements in BR section 8.1, or even
from any BR compliance requirement. Since the original discussion of this
issue [1] back in 2016, we have updated the scope of our policy to clearly
include technically constrained certificates, and thus the requirement for
BR conformance in section 2.3 does apply to these certificates. I believe
that our current policy already resolves this issue.
I propose that we further clarify the requirements for technically
constrained certificates by adding a second sentence to the second
paragraph of section 5.3.1 of the Mozilla policy as follows:
If the certificate includes the id-kp-serverAuth extended key usage, then
> the certificate MUST be Name Constrained as described in section 7.1.5 of
> version 1.3 or later of the Baseline Requirements. The Baseline
> Requirements Conformance policy, as defined in section 2.3, applies to
> technically constrained subordinate CA certificates.
>
I would appreciate everyone's input on this topic.
This is: https://github.com/mozilla/pkipolicy/issues/36
[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/ZMUjQ6xHrDA/ySofsF_PAgAJ
-------
This is a proposed update to Mozilla's root store policy for version
2.6. Please keep discussion in this group rather than on GitHub. Silence
is consent.
Policy 2.5 (current version):
https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
All certificates that are capable of being used to issue new certificates,
> and which directly or transitively chain to a certificate included in
> Mozilla’s CA Certificate Program, MUST be operated in accordance with this
> policy and MUST either be technically constrained or be publicly disclosed
> and audited.
>
This could be interpreted as exempting technically constrained subordinate
CA certificates from the self-audit requirements in BR section 8.1, or even
from any BR compliance requirement. Since the original discussion of this
issue [1] back in 2016, we have updated the scope of our policy to clearly
include technically constrained certificates, and thus the requirement for
BR conformance in section 2.3 does apply to these certificates. I believe
that our current policy already resolves this issue.
I propose that we further clarify the requirements for technically
constrained certificates by adding a second sentence to the second
paragraph of section 5.3.1 of the Mozilla policy as follows:
If the certificate includes the id-kp-serverAuth extended key usage, then
> the certificate MUST be Name Constrained as described in section 7.1.5 of
> version 1.3 or later of the Baseline Requirements. The Baseline
> Requirements Conformance policy, as defined in section 2.3, applies to
> technically constrained subordinate CA certificates.
>
I would appreciate everyone's input on this topic.
This is: https://github.com/mozilla/pkipolicy/issues/36
[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/ZMUjQ6xHrDA/ySofsF_PAgAJ
-------
This is a proposed update to Mozilla's root store policy for version
2.6. Please keep discussion in this group rather than on GitHub. Silence
is consent.
Policy 2.5 (current version):
https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
Wayne Thayer
Apr 23, 2018, 4:40:26 PM4/23/18
to mozilla-dev-security-policy
Hearing no objections, I have made the proposed clarification in the
version 2.6 branch:
https://github.com/mozilla/pkipolicy/commit/def9c711163e0cae6a19866fb551e915e3bcef12
- Wayne
version 2.6 branch:
https://github.com/mozilla/pkipolicy/commit/def9c711163e0cae6a19866fb551e915e3bcef12
- Wayne
0 new messages