In version 2.6 of our Root Store Policy, we added the requirement to section 5.3 that intermediate certificates contain an EKU and separate serverAuth and emailProtection uses. Version 2.6.1 updated the requirement to exclude cross certificates [1]. Last month, an issue [2] was filed requesting that we add "Policy Certification Authorities" (PCAs) as another exception.
PCAs are described in RFC 5280 as a CA certificate that is only used to issue other CA certificates, so excluding PCAs from this requirement would not in theory weaken it. However, I'm not aware of any way to technically enforce that PCAs not issue end-entity certificates, and allowing more exceptions would seem to make this policy more difficult to enforce. In addition, RFC 5280 section 3.2 appears to reference PCAs as an example of an architecture that should be abandoned in favor of x509v3 certificate extensions: With X.509 v3, most of the requirements addressed by RFC 1422 can be addressed using certificate extensions, without a need to restrict the CA structures used. In particular, the certificate extensions relating to certificate policies obviate the need for PCAs... This is https://github.com/mozilla/pkipolicy/issues/172 I will appreciate everyone's input on this proposal. - Wayne [1] https://github.com/mozilla/pkipolicy/commit/a8353e12db6128d9a01de7ab94949180115a2d92 [2] https://github.com/mozilla/pkipolicy/issues/172 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
