On 03/15/16 22:43, kwil...@mozilla.com wrote: > On Monday, March 14, 2016 at 5:28:32 PM UTC-7, Charles Reiss wrote: >>> ACTION #1a: As previously communicated, CAs should no longer be >>> issuing SHA-1 certificates chaining up to root certificates >>> included in Mozilla's CA Certificate Program. Check your systems >>> and those of your subordinate CAs to ensure that SHA-1 >>> certificates chaining up to your included root certificates are >>> no longer being issued. Please enter the last date that a SHA-1 >>> certificate was issued that chained up to your root >>> certificate(s) included in Mozilla's program. (Required) >> >> Mozilla should make clear how this question should be answered >> with respect to issuance of: a) SHA-1 subCAs which are constrained >> by EKU to not issue TLS server or email certs (e.g. for code >> signing); b) SHA-1 end-entity certificates which are constrained by >> EKU to not be for TLS servers or email certs but whose issuing >> subCA is not so constrained; c) SHA-1 end-entity certificates which >> are not constrained by EKU but lack a common name or SAN which can >> be used a server name or email address; and d) SHA-1 end-entity >> certificates whose parent CA is constrained by EKU to not be for >> TLS server or email certs; >> >> The question as written would seem to me to apply to all of these >> (since "SHA-1 certificates chaining up to your included root >> certificates" is not qualified), but it seems, from inclusion >> request discussion, that CAs tend to think that "out of scope" >> certificates need not be mentioned. >> > > Does the following text clear it up? > > ACTION #1a: As previously communicated, CAs should no longer be > issuing SHA-1 certificates chaining up to root certificates included > in Mozilla's CA Certificate Program. This includes TLS/SSL and S/MIME > certificates, as well as any intermediate certificates that they > chain up to. Check your systems and those of your subordinate CAs to > ensure that SHA-1 based TLS/SSL and S/MIME certificates chaining up > to your included root certificates are no longer being issued. Please > enter the last date that a SHA-1 based TLS/SSL certificate was issued > that chained up to your root certificates included in Mozilla's > program. (Required)
For reasons discussed in thread on BR scope here (that restrictions from certificate contents won't be effective against a chosen-prefix collision attack), I was hoping that Mozilla would ask whether CAs would continue issuing any SHA-1 certificates, regardless of suitability for TLS or S/MIME (except those that chain through technically constrained subCAs issued before 2016). But perhaps that needs to be done in context of more expansive improvements to Mozilla's policies. >> [snip] >>> ACTION #6: All certificates that directly or transitively chain >>> to your root certificate(s) included in Mozilla's CA Certificate >>> Program must comply with Mozilla's CA Certificate Policy. This >>> includes test certificates. >>> >>> Review your policies, procedures, and auditing about issuance of >>> test certificates, what domain names may be used in test >>> certificates, and the domain verification procedures that must be >>> followed for test certificates. >>> >>> [TBD] What else should we say here? -- What sort of responses to >>> we want from CAs? -- Rules about testing and test certs (per >>> Symantec incident) -- What sorts of things do we want to make >>> sure CAs do and don't do regarding testing? (Required) >> >> Maybe a reminder that test certificates Mozilla expects test >> certificates to follow the domain validation procedures in the >> CA's CP/CPS (that Mozilla presumably reviewed) and not just be >> issued in compliance with the BRs per se? > > > How about the following? This seems to address that. My suspicion is that CAs generally think their test certificates comply with Mozilla's policy in terms of certificate contents, so maybe that is not the right thing to emphasize? My guess is that the real problems are ad-hoc and/or unpublished policies for how compliance is to be achieved. I think this is clearly prohibited by Mozilla's policies (which, e.g., require CAs notify Mozilla when "its policies and business practices change in regards to verification procedures for issuing certificates"). > ACTION #6: All certificates that directly or transitively chain to > your root certificates included in Mozilla's CA Certificate Program > must comply with Mozilla's CA Certificate Policy. This includes test > certificates. > > Review your policies, procedures, and auditing about issuance of test > certificates, what domain names may be used in test certificates, and > the domain verification procedures that must be followed for test > certificates. (Required) > > [checkbox] I confirm that I understand that all TLS/SSL certificates > chaining up root certificates included in Mozilla's CA Certificate > Program, without exception, must conform to Mozilla's CA Certificate > Policy and the domain validation procedures documented in our > CP/CPS. > > > Thanks, Kathleen > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
