I support this, as long as Policy CAs meet the same operations standards and have the same issuance restrictions as root CAs. This would result in no real change to policy, as I assume roots not directly included in the Mozilla root store were already considered “roots” for this part of the policy.
On Fri, Apr 26, 2019 at 4:02 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > In version 2.6 of our Root Store Policy, we added the requirement to > section 5.3 that intermediate certificates contain an EKU and separate > serverAuth and emailProtection uses. Version 2.6.1 updated the requirement > to exclude cross certificates [1]. Last month, an issue [2] was filed > requesting that we add "Policy Certification Authorities" (PCAs) as another > exception. > > PCAs are described in RFC 5280 as a CA certificate that is only used to > issue other CA certificates, so excluding PCAs from this requirement would > not in theory weaken it. However, I'm not aware of any way to technically > enforce that PCAs not issue end-entity certificates, and allowing more > exceptions would seem to make this policy more difficult to enforce. In > addition, RFC 5280 section 3.2 appears to reference PCAs as an example of > an architecture that should be abandoned in favor of x509v3 certificate > extensions: > > With X.509 v3, most of the requirements addressed by RFC 1422 can be > addressed using certificate extensions, without a need to restrict > the CA structures used. In particular, the certificate extensions > relating to certificate policies obviate the need for PCAs... > > This is https://github.com/mozilla/pkipolicy/issues/172 > > I will appreciate everyone's input on this proposal. > > - Wayne > > [1] > > https://github.com/mozilla/pkipolicy/commit/a8353e12db6128d9a01de7ab94949180115a2d92 > [2] https://github.com/mozilla/pkipolicy/issues/172 > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
