On 01/09/17 04:47, Víctor wrote: > But I find an issue here. The root has both websites and email trust > bits. The subCA cert is not constrained. The representative of the CA > want to add the subCA to OneCRL because this subCA doesn't issue TLS > certificates. OneCRL and the CA program acts on both Firefox (if > websites trust bit enabled) and Thunderbird (if email trust bit > enabled).
I don't believe Thunderbird checks OneCRL, although someone may wish to contradict me. > - Should CAs that ONLY have the websites trust bit get all its subCAs > -that do not issue TLS certificates and the intermediate certificate > is not technologically constrained- added to OneCRL just for > prevention? Should this become mandatory? SubCAs which are technically capable of issuing TLS certificates, whether the CA intends for them to do so or not, need to either be name-constrained or need to be publicly disclosed and audited. If neither of those things is possible, we might add it to OneCRL, but this should not be seen as a simple and first-choice solution. Better is to make subCAs which are not intended for TLS certificates, not technically capable of issuing them in the first place. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
