Hello,

On 27/4/19 2:02 π.μ., Wayne Thayer via dev-security-policy wrote:
> In version 2.6 of our Root Store Policy, we added the requirement to
> section 5.3 that intermediate certificates contain an EKU and separate
> serverAuth and emailProtection uses. Version 2.6.1 updated the requirement
> to exclude cross certificates [1]. Last month, an issue [2] was filed
> requesting that we add "Policy Certification Authorities" (PCAs) as another
> exception.
> 
> PCAs are described in RFC 5280 as a CA certificate that is only used to
> issue other CA certificates, so excluding PCAs from this requirement would
> not in theory weaken it. However, I'm not aware of any way to technically

Just to clarify, when opening the ticket by Policy CAs I was describing
CAs issuing only SubCAs, or other "infrastructure" certificates such as
OCSP certificates, and not end-entity certificates. The full model
described in RFC5280 includes many more architectural requirements.

> enforce that PCAs not issue end-entity certificates, and allowing more
> exceptions would seem to make this policy more difficult to enforce. In

I think that many, if not most, of the requirements imposed by the
Mozilla Root Store Policy are difficult to enforce. This specific
requirement is easy to monitor thanks to CT. Crt.sh already provides
this information in a single webpage for every CA, and I think that a
single database query will return non-compliant SubCAs directly. Other
requirements, such as CAA monitoring which is part of the Mozilla Root
Store Policy by virtue of CA/B Forum BRs, are way more difficult to
enforce, and cannot be monitored directly using some service like CT.

> addition, RFC 5280 section 3.2 appears to reference PCAs as an example of
> an architecture that should be abandoned in favor of x509v3 certificate
> extensions:
> 
>    With X.509 v3, most of the requirements addressed by RFC 1422 can be
>    addressed using certificate extensions, without a need to restrict
>    the CA structures used.  In particular, the certificate extensions
>    relating to certificate policies obviate the need for PCAs...

It is my understanding that this applies to the full PCA model. As I
described before, I am simply talking about SubCAs that are issuing only
other SubCAs. Unfortunately, I don't think there is a single term to
describe these Subs.

Regards,
Fotis

> 
> This is https://github.com/mozilla/pkipolicy/issues/172
> 
> I will appreciate everyone's input on this proposal.
> 
> - Wayne
> 
> [1]
> https://github.com/mozilla/pkipolicy/commit/a8353e12db6128d9a01de7ab94949180115a2d92
> [2] https://github.com/mozilla/pkipolicy/issues/172
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
> 


-- 
Fotis Loukos, PhD
Director of Security Architecture
SSL Corp
e: fot...@ssl.com
w: https://www.ssl.com
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to