On 20/07/17 15:24, Gervase Markham via dev-security-policy wrote:
On 12/07/17 21:18, Ben Wilson wrote:
For CAs with emailProtection and proper name constraints, where would such CAs
appear in https://crt.sh/mozilla-disclosures?
https://crt.sh/mozilla-disclosures#constrainedother? Or a new section of the
list, yet to be determined?
I believe Rob has now split the list into two.
Ben, these intermediate certs should appear in
https://crt.sh/mozilla-disclosures#constrained (if they've not been
disclosed to CCADB).
https://crt.sh/mozilla-disclosures#constrainedother is for intermediate
certs for which there is a signature chain up to a root that is trusted
by Mozilla, but which are trusted for neither Server Authentication nor
Secure Email. (Mostly they're Code Signing intermediates, it seems).
And for CAs where EKU contains emailProtection, what are the programmatic
criteria that determine whether the CA will be in such list as properly name
constrained, since the Baseline Requirements don’t cover email certificates?
(Presumably, a properly name-constrained email CA would not require any audit.)
Rob would be able to say. But the criteria for whether an email
intermediate is properly name constrained are in Mozilla policy 2.5.
The purpose of the https://crt.sh/mozilla-disclosures page is to track
compliance with the Mozilla Root Store Policy. BRs, or the lack of
them, are only relevant to this page insofar as the Mozilla Root Store
Policy says they're relevant.
So yes, this page uses the criteria from Mozilla Root Store Policy v2.5.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
