On Wed, Apr 17, 2019 at 5:05 PM Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> For what it is worth I agree with Brian. > > I would go a bit further and say certificates need to be issued for > explicit usages anything else produces potentially unknown behaviors. > > What's most important though is that any certificate that is trusted as a > result of membership in the Mozilla root program that can technically be > used for SSL on the public web is subject to the program requirements > intent or not. > > It seems since MSFT already requires leaves to have an EKU it wouldn't be > breaking to apply the same rule in Mozilla's program. > > Okay, then I propose adding the following to section 5.2 "Forbidden and Required Practices": Effective for certificates issued on or after April 1, 2020, end-entity certificates MUST include an EKU extension containing KeyPurposeId(s) describing the intended usage(s) of the certificate, and the EKU extension MUST NOT contain the KeyPurposeId anyExtendedKeyUsage. This does not imply that there will be technical enforcement, but also doesn't rule it out. I will appreciate everyone's feedback on this proposal. Ryan > On Wednesday, April 17, 2019 at 12:27:49 PM UTC-7, Brian Smith wrote: > > Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> > > wrote: > > > > > My conclusion from this discussion is that we should not add an > explicit > > > requirement for EKUs in end-entity certificates. I've closed the issue. > > > > > > > What will happen to all the certificates without an EKU that currently > > exist, which don't conform to the program requirements? > > > Such certificates are misissued under our current policy. Nothing would change. > For what it's worth, I don't object to a requirement for having an > explicit > > EKU in certificates covered by the program. Like I said, I think every > > certificate that is issued should be issued with a clear understanding of > > what applications it will be used for, and having an EKU extension does > > achieve that. > > > > The thing I am attempting to avoid is the implication that a missing EKU > > implies a certificate is not subject to the program's requirements. > > > Yes, that's the misunderstanding this issue is attempting to fix. > Cheers, > > Brian > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
