This is a suggestion for stricter rules regarding the creation of intermediate CA certificates that are issued by root CA certificates included in the Mozilla CA list.
Every CA organization should be ultimately responsible that the intermediate CA certificates they create will never be used in a MITM device. If an intermediate CA certificate controlled by the CA, or controlled by a subordinate entity of the CA, is used in a MITM device, or used to mis-issue a certificate, the discovery of an unrevoked mis-issued certificate will result in the immediate removal of the respective root CA certificate. If a CA provides an intermediate CA certificate to an external organization, then the intermediate CA certificate must contain a name constraint extension, which restricts the abilities of the intermediate. The constraint must either limit the intermediate to (a) a set of second level domains the external organization controls. or (b) to exactly one TLD The discovery of any unconstrained and unrevoked intermediate CA certificate that isn't controlled by the root CA organization results in the immediate removal of the root CA from the Mozilla CA list. If the CA issues an intermediate CA that is constrained to a TLD, then the primary CA is fully responsible for the actions of the external organization, including deliberate and accidental misuse of the intermediate. A misuse of the intermediate, or a misuse of any subordinate certificate, is the full responsibility of the primary CA. Because of the potential consequences of a misuse of an intermediate for the primary CA, it is recommeded that a CA shall be very careful when handing out an intermediate to an external organization, such as enclosing the intermediate's key in an HSM, and requiring a contract with the external organization, which would cover the monetary risk of closing down the business of the primary CA. The discovery of any misuse of where the primary CA has the full reponsiblity shall result in the immediate removal of the CA from the Mozilla list. Thoughts? Thanks, Kai _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
