On 24/4/2019 2:09 π.μ., Wayne Thayer via dev-security-policy wrote:
On Fri, Apr 19, 2019 at 7:12 PM Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On Fri, Apr 19, 2019 at 01:22:59PM -0700, Wayne Thayer via
dev-security-policy wrote:
Okay, then I propose adding the following to section 5.2 "Forbidden and
Required Practices":
Effective for certificates issued on or after April 1, 2020, end-entity
certificates MUST include an EKU extension containing KeyPurposeId(s)
describing the intended usage(s) of the certificate, and the EKU
extension
MUST NOT contain the KeyPurposeId anyExtendedKeyUsage.
This does not imply that there will be technical enforcement, but also
doesn't rule it out.
I will appreciate everyone's feedback on this proposal.
If I may pick the absolute smallest of nits, is it "better" if the
restriction be on certificate notBefore, rather than "issued on"? Whilst
that leaves certificates open to backdating, it does make it easier to
identify misissuance. Otherwise there could be arguments made that the
certificate was *actually* issued before the effective date, even though
there is no evidence that that is the case.
Thanks Matt, I can see how that change makes it easier to check for
compliance.
I've added my proposal, updated per Matt's suggestion, to the 2.7 branch:
https://github.com/mozilla/pkipolicy/commit/842c9bd53e43904b160e79cb199018252fb60834
Unless there are further comments, I'll consider this issue resolved.
Wayne,
I support this update but I am not sure if this is somehow linked with
the scope of the Mozilla Policy. Does this change mean that after April
1, 2020, any Certificate that does not have an EKU is out of Mozilla
Policy scope or not? I think the GRCA discussion around special-purpose
certificates (I think they were meant for document signing) that do not
contain an EKU (nor an emailAddress in the SAN extension or the CN
subjectDN field), are currently considered in scope.
If this change intends to bring these types of certificates out of scope
after April 1, 2020, we must make this clear and probably also update
section 1.1.
Dimitris.
- Wayne
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
