On 12/3/15 11:34 AM, Peter Bowen wrote:
Agreed. However it does raise the question of whether the Mozilla
policy should be:
1) All certificates with CA:TRUE must be disclosed or
2) All certificates with CA:TRUE must be disclosed except:
- certificates that meet the technically constrained definition
- certificates where the issuer is not required to be disclosed due to
the previous line or
3) All certificates with CA:TRUE must be disclosed except certificates
where the Issuing CA is technically constrained
Option #3 would require disclosing the technically constrained
certificate but nothing further down the graph.
Thanks,
Peter
My interpretation of sections 8-10 of Mozilla's policy is #2.
> 2) All certificates with CA:TRUE must be disclosed except:
> - certificates that meet the technically constrained definition
> - certificates where the issuer is not required to be disclosed due to
> the previous line
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
"8. All certificates that are capable of being used to issue new
certificates, and which directly or transitively chain to a certificate
included in Mozilla’s CA Certificate Program, MUST be operated in
accordance with Mozilla’s CA Certificate Policy and MUST either be
technically constrained or be publicly disclosed and audited."
And I think the BRs are in alignment with this.
"Technically Constrained Subordinate CA Certificate: A Subordinate CA
certificate which uses a combination of Extended Key Usage settings and
Name Constraint settings to limit the scope within which the Subordinate
CA Certificate may issue Subscriber or additional Subordinate CA
Certificates.
8.1. FREQUENCY OR CIRCUMSTANCES OF ASSESSMENT
Certificates that are capable of being used to issue new certificates
MUST either be Technically Constrained in line with section 7.1.5 and
audited in line with section 8.7 only, or Unconstrained and fully
audited in line with all remaining requirements from this section. A
Certificate is deemed as capable of being used to issue new certificates
if it contains an X.509v3 basicConstraints extension, with the cA
boolean set to true and is therefore by definition a Root CA Certificate
or a Subordinate CA Certificate."
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy