> -----Original Message----- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Tuesday, June 20, 2017 9:12 PM > To: Doug Beattie <doug.beat...@globalsign.com>; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: Re: Root Store Policy 2.5: Call For Review and Phase-In Periods > > We have 2 customers that can issue Secure Email certificates that are > > not technically constrained with name Constraints (the EKU is > > constrained to Secure Email and ClientAuth).> One customer operates > > the CA within their environment and has been doing so for several > > years. Even though we've been encouraging them to move back to a Name > > Constrained CA or a hosted service, > > To be clear: this customer has the ability to issue email certificates for any > email address on the planet, and they control their own intermediate in > their own infrastructure?
Yes, but see qualifications below. > Do they have audits of any sort? There had not been any audit requirements for EKU technically constrained CAs, so no, there are no audits. > What are their objections to moving to a hosted service? They are integrated with a Microsoft CA and moving will take some time to integrate with a different delivery of certificates. It will just take some time. > > The other customer complies the prior words in the Mozilla policy > regarding "Business Controls". We have an agreement with them where we > issue them Secure Email certificates from our Infrastructure for domains > they host and are contractually bound to using those certificates only for the > matching mail account. Due to the number of different domains managed > and fact they obtain certificates on behalf of the users, it's difficult to > enforce validation of the email address. We have plans to add features to > this issuance platform that will resolve this, but not in the near term. > > So even though this issuance is from your infrastructure, there are no > restrictions on the domains they can request issuance from? That is correct. Enforcement is via contractual/business controls which is compliant with the current policy, as vague and weak as that is (and you've previously acknowledged). Moving from this level of control to being audited or having name constraints will take more time that just a couple of months. Two further points: 1) It’s not clear of email applications work with name constrained CAs. Some have reported email applications do not work, however, I have not tested this case. 2) It’s unlikely that a secure email cert which is not compliant with the NC extension would be identified by email applications as non-compliant. Again, this is something I haven't tested either. Maybe some others have first-hand knowledge for how email applications work (or not) with NC CAs? Both of the customers are large US based companies with contractual obligations to only issue secure email certificates to domains which they own and control so I hope we can come to an agreement on the phased plan. > Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
