On Wed, August 20, 2014 5:17 pm, Kathleen Wilson wrote: > On 8/19/14, 5:37 PM, Kathleen Wilson wrote: > > All, > > > > I started a new wiki page to document Mozilla's expectations regarding > > CA compliance with the BRs, and auditing according to the BRs. > > > > https://wiki.mozilla.org/CA:BaselineRequirements > > > > It is a very rough draft, but I would appreciate feedback on it. > > > > Thanks, > > Kathleen > > > > > > > Regarding Whole-Population BR Audit of Intermediate Certs, since the BRs > are for SSL certs, this should probably only apply to intermediate certs > that are capable of issuing SSL certs.
Agreed, which will require a definition of capability. This was discussed during the Mountain View F2F in the Forum though, and roughly aligns with "Anything browsers recognize as SSL capable" (something Mozilla's policy already explores) > > Regarding auditing for things in RFC 5280... > > There are things in RFC 5280 (such as duplicate serial numbers) that > aren't stated in the BRs. So, does the CAB Forum need to add important > requirements from RFC 5280 to the BRs, so they get added to the BR audit > criteria? They are. >From BR 1.1.9 >From Section 4, Terminology "Valid Certificate: A Certificate that passes the validation procedure specified in RFC 5280" >From Appendix B - Certificate Extensions (Normative) "All other fields and extensions MUST be set in accordance with RFC 5280". Note fields includes non-extension fields. > > Why I ask... > It is my understanding that when an auditor performs a BR audit, she > will follow a BR audit criteria such as the WebTrust BR audit criteria > or the ETSI TS 102 042 PTC-BR criteria. For the requirements that are > explicitly defined in the BR audit criteria, the auditor will examine > the technical settings and sampled certificates to check for those > things. For things that are not explicitly defined in BR audit criteria, > the auditor may use some less strict audit procedures such as asking CA > personnel or reviewing the CP/CPS to check for those things. > > Kathleen RFC 5280 is clear as a profile of what constitutes a 'valid' PKIX X.509 certificate. Fields that fail to adhere to the technical requirements do not conform to the BRs. For example, RFC 5280 Section 4.1.2.2. (Serial Number) "The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). CAs MUST force the serialNumber to be a non-negative integer." This basic requirement has been in RFC 5280 since 2008, RFC 3280 since 2002. The uniqueness requirement is present in RFC 2459 since 1999. (however, the "positive integer" requirement was not, at least not within 4.1.2.2) Given that the BRs normatively incorporate RFC 5280, auditors MUST be checking compliance in order to evaluate whether or not a given certificate conforms to the BRs. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy