Re: Policy Update Proposal: Timeline for Disclosing SubCAs

Thu, 03 Dec 2015 15:17:36 -0800 

On 12/3/15 11:34 AM, Peter Bowen wrote:

Agreed.  However it does raise the question of whether the Mozilla
policy should be:

1) All certificates with CA:TRUE must be disclosed or

2) All certificates with CA:TRUE must be disclosed except:
- certificates that meet the technically constrained definition
- certificates where the issuer is not required to be disclosed due to
the previous line or

3) All certificates with CA:TRUE must be disclosed except certificates
where the Issuing CA is technically constrained

Option #3 would require disclosing the technically constrained
certificate but nothing further down the graph.

Thanks,
Peter




My interpretation of sections 8-10 of Mozilla's policy is #2.
> 2) All certificates with CA:TRUE must be disclosed except:
> - certificates that meet the technically constrained definition
> - certificates where the issuer is not required to be disclosed due to
> the previous line

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
"8. All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla’s CA Certificate Program, MUST be operated in accordance with Mozilla’s CA Certificate Policy and MUST either be technically constrained or be publicly disclosed and audited." 

And I think the BRs are in alignment with this.
"Technically Constrained Subordinate CA Certificate: A Subordinate CA certificate which uses a combination of Extended Key Usage settings and Name Constraint settings to limit the scope within which the Subordinate CA Certificate may issue Subscriber or additional Subordinate CA Certificates. 
8.1. FREQUENCY OR CIRCUMSTANCES OF ASSESSMENT
Certificates that are capable of being used to issue new certificates MUST either be Technically Constrained in line with section 7.1.5 and audited in line with section 8.7 only, or Unconstrained and fully audited in line with all remaining requirements from this section. A Certificate is deemed as capable of being used to issue new certificates if it contains an X.509v3 basicConstraints extension, with the cA boolean set to true and is therefore by definition a Root CA Certificate or a Subordinate CA Certificate." 


Kathleen




_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to