Wayne Thayer <wtha...@mozilla.com> wrote: > On Mon, Apr 1, 2019 at 5:36 PM Brian Smith via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Here when you say "require EKUs," you mean that you are proposing that >> software that uses Mozilla's trust store must be modified to reject >> end-entity certificates that do not contain the EKU extension, if the >> certificate chains up to the roots in Mozilla's program, right? > > > That would be a logical goal, but I was only contemplating a policy > requirement. >
OK, let's say the policy were to change to require an EKU in every end-entity certificate. Then, would the policy also require that existing unexpired certificates that lack an EKU be revoked? Would the issuance of a new certificate without an EKU be considered a policy violation that would put the CA at risk of removal? The thing I want to avoid is saying "It is OK for the CA to issue an end-entity certificate without an EKU and if there is no EKU we will consider it out of scope of the program." In particular, I don't want to put software that (correctly) implements the "no EKU extension implies all usages are acceptable" at risk. > > If so, how >> would one implement the "chain[s] up to roots in our program" check? >> What's >> the algorithm? Is that actually well-defined? >> >> > My starting proposal would be to reject all EE certs issued after a > certain future date that don't include EKU(s), or that assert anyEKU. If > your point is that it's not so simple and that this will break things, I > suspect that you are correct. > The part that seems difficult to implement is the differentiation of a certificate that chains up to a root in Mozilla's program from one that doesn't. I don't think there is a good way to determine, given the information that the certificate verifier has, whether a certificate chains up to a root in Mozilla's program or not, so to be safe software has to apply the same rules to regardless of whether the certificate appears to chain up to a root in Mozilla's program or not. Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy