Policy 2.5 Proposal: Make it clear that Mozilla policy has wider scope than the BRs

[Gervase Markham]

The scope of the BRs is ambiguous, and almost certainly smaller than the
scope of the Mozilla policy. It might be useful to explicitly draw
attention to that fact, for the avoidance of doubt.

Proposal: add a bullet to section 2.3, where we define BR exceptions:

"Insofar as the Baseline Requirements attempt to define their own scope,
the scope of this policy (section 1.1) overrides that. Mozilla expects
CA operations relating to issuance of all SSL certificates in the scope
of this policy to conform to the Baseline Requirements."

This is: https://github.com/mozilla/pkipolicy/issues/72

-------

This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.

Policy 2.4.1 (current version):
https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates

[Kurt Roeckx]

On 2017-06-02 12:28, Gervase Markham wrote:
> "Insofar as the Baseline Requirements attempt to define their own scope,
> the scope of this policy (section 1.1) overrides that. Mozilla expects
> CA operations relating to issuance of all SSL certificates in the scope
> of this policy to conform to the Baseline Requirements."

Should that be "all certificates" instead of "all SSL certificates"?


Kurt

[Gervase Markham]

On 02/06/17 12:24, Kurt Roeckx wrote:
> Should that be "all certificates" instead of "all SSL certificates"?

No; the Baseline Requirements apply only to SSL certificates.

Gerv

[Peter Bowen]

On Fri, Jun 2, 2017 at 8:50 AM, Gervase Markham via
dev-security-policy <dev-secur...@lists.mozilla.org> wrote:
> On 02/06/17 12:24, Kurt Roeckx wrote:

>> Should that be "all certificates" instead of "all SSL certificates"?
>

> No; the Baseline Requirements apply only to SSL certificates.

Should Mozilla include a clear definition of "SSL certificates" in the
policy? And should it be based on technical attributes rather than
intent of the issuer?

Thanks,
Peter

[Kurt Roeckx]

On Fri, Jun 02, 2017 at 04:50:44PM +0100, Gervase Markham wrote:
> On 02/06/17 12:24, Kurt Roeckx wrote:

> > Should that be "all certificates" instead of "all SSL certificates"?
>

> No; the Baseline Requirements apply only to SSL certificates.

Then I don't understand what you're trying to do. If the BR
already apply to all SSL certificates, why would Mozilla need to
override this and say it applies to all SSL certificates?

The BR are at least confusing to what they claim to be about. The
title of the document says "for the issuance and management of
pubicly-trusted certificates". In the "notice to readers" they say
it's about server authentication, and seem to imply it doesn't
cover "web services", code signing, smime, ...

Maybe you want to say it also applies to client authentication?

I also think it's wrong to say it just applies to SSL
certificates, it also applies to at least the intermediate
CAs.

I also see very little reason why the BRs couldn't be applied to
all certificates if the put some effort in making the BRs actual
baseline requirements. About the only thing in the BRs that don't
apply to all certificates are the SAN requirements and things
related to having control over the domain name. It shouldn't be
that hard to move those things to a separate document instead.


Kurt

[David E. Ross]

Consider:

While the Mozilla policy requires compliance with the Baseline
Requirements, this policy has a broader scope by levying additional
requirements on certification authorities.

--
David E. Ross
<http://www.rossde.com>

Consider:
* Most state mandate that drivers have liability insurance.
* Employers are mandated to have worker's compensation insurance.
* If you live in a flood zone, flood insurance is mandatory.
* If your home has a mortgage, fire insurance is mandatory.

Why then is mandatory health insurance so bad??

[Gervase Markham]

On 02/06/17 17:24, Kurt Roeckx wrote:
> On Fri, Jun 02, 2017 at 04:50:44PM +0100, Gervase Markham wrote:
>> On 02/06/17 12:24, Kurt Roeckx wrote:
>>> Should that be "all certificates" instead of "all SSL certificates"?
>>
>> No; the Baseline Requirements apply only to SSL certificates.
>
> Then I don't understand what you're trying to do. If the BR
> already apply to all SSL certificates,

No. The Baseline Requirements state that they apply to _some_ SSL
certificates. Exactly which ones is not clear because the BRs use
language of intent. From section 1.1: "These Requirements only address
Certificates intended to be used for authenticating servers accessible
through the Internet."

Mozilla does not believe the language of intent is useful, and wants to
use language of capability to define scope. Therefore, we have our own
scope statement for our policy, and now want to make it clear that
there's no such thing as an SSL certificate which falls under the
Mozilla policy but does not fall under the BRs, despite the differing
and unclear scope statement in the BRs.

Gerv

[Gervase Markham]

On 02/06/17 17:07, Peter Bowen wrote:
> Should Mozilla include a clear definition of "SSL certificates" in the
> policy? And should it be based on technical attributes rather than
> intent of the issuer?

Absolutely Yes to your second sentence :-). We do have a clear
definition of what's in scope; however, we don't subclassify
specifically into "SSL" and "email" except by implication from the EKU.
And that leaves the question of what to do with anyEKU.

Gerv

[Gervase Markham]

On 02/06/17 11:28, Gervase Markham wrote:
> Proposal: add a bullet to section 2.3, where we define BR exceptions:
>
> "Insofar as the Baseline Requirements attempt to define their own scope,
> the scope of this policy (section 1.1) overrides that. Mozilla expects
> CA operations relating to issuance of all SSL certificates in the scope
> of this policy to conform to the Baseline Requirements."

Implemented as specced.

Gerv

[David E. Ross]

This seems self-contradictory.

How about adding only 2 words ("Nevertheless" and "also") to the second
sentence:

Insofar as the Baseline Requirements attempt to define their own scope,

the scope of this policy (section 1.1) overrides that. Nevertheless,

Mozilla expects CA operations relating to issuance of all SSL

certificates in the scope of this policy to conform also to the Baseline
Requirements.

[Jakob Bohm]

How about the following, which seems more correct

Insofar as the Baseline Requirements attempt to define their own scope,
the scope of this policy (section 1.1) overrides that. Mozilla

thus requires CA operations relating to issuance of all SSL certificates

in the scope of this policy to conform to the Baseline Requirements.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

[Gervase Markham]

On 08/06/17 19:46, Jakob Bohm wrote:
> How about the following, which seems more correct

Yes; I'm not sure why David thought the original version's two sentences
were contradicting rach other.

> Insofar as the Baseline Requirements attempt to define their own scope,
> the scope of this policy (section 1.1) overrides that. Mozilla
> thus requires CA operations relating to issuance of all SSL certificates
> in the scope of this policy to conform to the Baseline Requirements.

This is marginally better; wording updated :-)

Gerv