(Resending as the attached file was too large)
On Fri, May 5, 2017 at 10:46 AM, Peter Bowen <pzbo...@gmail.com> wrote: > On Thu, Apr 20, 2017 at 3:01 AM, Gervase Markham via > dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: >> On 15/04/17 17:05, Peter Bowen wrote: >>> Should the Mozilla policy change to require disclosure of all CA >>> certificates issued by an unconstrained CA (but not necessarily >>> require audits, CP/CPS, etc)? This would help identify unintentional >>> gaps in policy. >> >> https://github.com/mozilla/pkipolicy/issues/73 >> >> I think I understand your point but if you could expand a bit in the >> bug, that would be most welcome. > > Right now the policy does not require disclosure of CA-certificates > that the CA deems are technically constrained. We have seen numerous > cases where the CA misunderstood the rules or where the rules had > unintentional gaps an disclosing the certificate as constrained will > allow discovery of these problems. For example the current policy > says "an Extended Key Usage (EKU) extension which does not contain > either of the id-kp-serverAuth and id-kp-emailProtection EKUs" which > means a certificate that has EKU extension with only the > anyExtendedKeyUsage KeyPurposeId fall outside of the scope. This is > obviously wrong, but would not be discovered today. > > The flow chart at https://imagebin.ca/v/3LRcaKW9t2Qt shows my proposal for > disclosure; it is a > revised version from the one I posted to the CA/Browser Forum list and > depends on the same higher level workflow > (https://cabforum.org/pipermail/public/attachments/20170430/0e692c4d/attachment-0002.png > ). > > Thanks, > Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
