Hi Rick,
Please see item #3 of
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Frequently_Asked_Questions
--
3. How do I technically constrain a subordinate CA certificate that will
only be used to issue end-user certificates intended for client
authentication?
For the subCA certificate to be considered technically constrained
according to item #9 of Mozilla's CA Certificate Inclusion Policy, the
subCA certificate must have the Extended Key Usage (EKU) extension with
the id-kp-clientAuth KeyPurposeId (and whatever else they need), and the
EKU extension must not include any of these KeyPurposeIds:
anyExtendedKeyUsage, id-kp-serverAuth, id-kp-emailProtection,
id-kp-codeSigning.
- If the EKU extension includes id-kp-serverAuth, then (in
order to be considered technically constrained) the subCA certificate
must also include the Name Constraints extension as described in item #9
of Mozilla's CA Certificate Inclusion Policy.
- If the EKU extension includes id-kp-emailProtection, then (in
order to be considered technically constrained) technical and/or
business controls need to be in place to ensure that the subCA only
issues certs for email addresses that the CA has confirmed the subCA is
authorized to use, as described in item #9 of Mozilla's CA Certificate
Inclusion Policy.
- If the EKU extension includes id-kp-codeSigning, then (in
order to be considered technically constrained) the SubCA certificate
must also contain a directoryName permittedSubtrees constraint as
described item #9 of Mozilla's CA Certificate Inclusion Policy.
--
As per section #9 of the policy, we prefer that all subordinate CA
certificates are technically constrained. As per #10 of the policy, we
recognize that technically constraining subordinate CA certificates as
described in section #9 may not be practical in some cases, so in those
cases the subCA certificate can be audited/disclosed instead.
Does that answer your questions?
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
