Section 5.3.1 of policy 2.4.1 defines what it means to be technically
constrained for email sub-CAs (those with id-kp-emailProtection). It says:
"If the certificate includes the id-kp-emailProtection extended key
usage, then all end-entity certificates MUST only include e-mail
addresses or mailboxes that the issuing CA has confirmed (via technical
and/or business controls) that the subordinate CA is authorized to use."
This is bogus. What it says here is something that you have to do for
any email cert - it's not a technical constraint but a policy
constraint, and it's basically the same as 2.2.2:
"for a certificate capable of being used for digitally signing or
encrypting email messages, the CA takes reasonable measures to verify
that the entity submitting the request controls the email account
associated with the email address referenced in the certificate or has
been authorized by the email account holder to act on the account
holder’s behalf;"
Section 5.3.1 should define technical constraints on the intermediate
appropriate for restricting email addresses to a whitelist of domains,
just as the section for id-kp-serverAuth restricts to a whitelist of
domains.
We don't have any "Email BRs" to refer to, but I think we want something
like this:
"If the certificate includes the id-kp-emailProtection extended key
usage, it MUST include the Name Constraints X.509v3 extension with
constraints on rfc822Name, with at least one name in permittedSubtrees."
This is: https://github.com/mozilla/pkipolicy/issues/69
-------
This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.
Policy 2.4.1 (current version):
https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
