Re: GRCA Incident: BR Compliance and Document Signing Certificates

Mon, 25 Mar 2019 13:57:24 -0700 


On 25/3/2019 10:48 μ.μ., Wayne Thayer via dev-security-policy wrote:

I agree with Ryan on this. From a policy perspective, we should be
encouraging [and eventually requiring] EKU constraints, not making it
easier to exclude them.



I was merely copying parts of the existing policy related to "Policy 
Scope", not requirements for end-entity certificates. According to the 
BRs an EKU for SSL/TLS Certificates is required. I did a quick read on 
the Mozilla Policy and didn't find a statement to explicitly require an 
EKU for end-entity certificates capable of being used for S/MIME, unless 
I missed it. Section 5.3 only describes an EKU requirement for 
Intermediate Certificates. Perhaps we should update 5.2 to include a 
requirement for EKU for end-entity certificates.


Dimitris.


On Mon, Mar 25, 2019 at 1:03 PM Ryan Hurst via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:


While it may be true that the certificates in question do not contain
SANs, unfortunately, the certificates may still be trusted for SSL since
they do not have EKUs.

For an example see "The most dangerous code in the world: validating SSL
certificates in non-browser software" which is available at
https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html

What you will see that hostname verification is one of the most common
areas applications have a problem getting right. Often times they silently
skip hostname verification, use libraries provide options to disable host
name verifications that are either off by default, or turned off for
testing and never enabled in production.

One of the few checks you can count on being right with any level of
predictability in my experience is the server EKU check where absence is
interpreted as an entitlement.

Ryan Hurst
(writing in a personal capacity)
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to