Ben, I'm about to use the term 'paragraph' to refer to the text within section 5.3.1 that is separated by carriage returns.
The prior version of the policy contained the language in the final paragraph of section 5.3.1 - see https://github.com/mozilla/pkipolicy/commit/f96076a01ef10e5d6a84fa4b042227512925cb7c The language in paragraph 3 and the compliance deadline in paragraph 4 of section 5.3.1 were added in the latest version of the policy. I believe this shows that the intent of the conditional statement in the fourth paragraph of section 5.3.1 is to reference the third paragraph of section 5.3.1, not to the language in section 5.3. I also think that your interpretation would allow a CA to neither publicly disclose or technically constrain a subordinate CA containing the id-kp-emailProtection EKU - something that was required in the previous version of the policy. I've added an issue in Github requesting that we clarify this language as you suggested in the next version of the policy. - Wayne On Mon, Jan 8, 2018 at 4:12 PM, Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > The problem with the wording of the paragraphs in section 5.3.1 is that > they > should have said "..., in order to be considered Technically Constrained, > ..." . Right now they read like absolutes. > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On > Behalf Of Ben Wilson via dev-security-policy > Sent: Monday, January 8, 2018 3:42 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: 5.3.1 Technically Constrained > > Which "above paragraph" is being referenced in the following excerpt from > Section 5.3.1 of the Mozilla Root Store Policy v.2.5 > (https://www.mozilla.org/en-US/about/governance/policies/ > security-group/cert > s/policy/)? > > > > "Instead of complying with the above paragraph, intermediate certificates > issued before 22nd June 2017 may, until 15th January 2018, comply with the > following paragraph: > > > > If the certificate includes the id-kp-emailProtection extended key usage, > then all end-entity certificates MUST only include e-mail addresses or > mailboxes that the issuing CA has confirmed (via technical and/or business > controls) that the subordinate CA is authorized to use." > > > > I interpret that "the above paragraph" means the following paragraph: "5.3 > Intermediate Certificates All certificates that are capable of being > used > to issue new certificates, and which directly or transitively chain to a > certificate included in Mozilla's CA Certificate Program, MUST be operated > in accordance with this policy and MUST either be technically constrained > or > be publicly disclosed and audited." > > > > Thanks, > > > > Ben Wilson > > > > Ben Wilson, JD, CISA, CISSP > > VP Compliance > > +1 801 701 9678 > > > > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
