Today the Mozilla CA policy and the CAB Forum categorize CAs as either Root CAs or Intermediate CAs. However the reality is that the line is not always clear between the two and this leads to uncertainty of what requirements apply in various circumstances. For example, the Baseline Requirements require that CAs do not issue Subscriber (End-Entity) certificates from Root CAs, but a "cross-signed" CA might be able to argue that its root is a subordinate CA.
One possible solution is to require that all certificates for CAs that issue Subscriber certificates (those without CA:TRUE) have zero path length constraint in the basic constraints extension. All CAs with certificates with a longer allowed path length or no length constraint would only be allowed to issue certificate types that a Root CA is allowed to issue. I think that this already is best practice for CAs and moving it to requirement would make it possible to technically enforce the practice. It would not have prevented the most recent issue, but would help prevent a whole class of other issues. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
