Hello, On 27/4/19 2:02 π.μ., Wayne Thayer via dev-security-policy wrote: > In version 2.6 of our Root Store Policy, we added the requirement to > section 5.3 that intermediate certificates contain an EKU and separate > serverAuth and emailProtection uses. Version 2.6.1 updated the requirement > to exclude cross certificates [1]. Last month, an issue [2] was filed > requesting that we add "Policy Certification Authorities" (PCAs) as another > exception. > > PCAs are described in RFC 5280 as a CA certificate that is only used to > issue other CA certificates, so excluding PCAs from this requirement would > not in theory weaken it. However, I'm not aware of any way to technically
Just to clarify, when opening the ticket by Policy CAs I was describing CAs issuing only SubCAs, or other "infrastructure" certificates such as OCSP certificates, and not end-entity certificates. The full model described in RFC5280 includes many more architectural requirements. > enforce that PCAs not issue end-entity certificates, and allowing more > exceptions would seem to make this policy more difficult to enforce. In I think that many, if not most, of the requirements imposed by the Mozilla Root Store Policy are difficult to enforce. This specific requirement is easy to monitor thanks to CT. Crt.sh already provides this information in a single webpage for every CA, and I think that a single database query will return non-compliant SubCAs directly. Other requirements, such as CAA monitoring which is part of the Mozilla Root Store Policy by virtue of CA/B Forum BRs, are way more difficult to enforce, and cannot be monitored directly using some service like CT. > addition, RFC 5280 section 3.2 appears to reference PCAs as an example of > an architecture that should be abandoned in favor of x509v3 certificate > extensions: > > With X.509 v3, most of the requirements addressed by RFC 1422 can be > addressed using certificate extensions, without a need to restrict > the CA structures used. In particular, the certificate extensions > relating to certificate policies obviate the need for PCAs... It is my understanding that this applies to the full PCA model. As I described before, I am simply talking about SubCAs that are issuing only other SubCAs. Unfortunately, I don't think there is a single term to describe these Subs. Regards, Fotis > > This is https://github.com/mozilla/pkipolicy/issues/172 > > I will appreciate everyone's input on this proposal. > > - Wayne > > [1] > https://github.com/mozilla/pkipolicy/commit/a8353e12db6128d9a01de7ab94949180115a2d92 > [2] https://github.com/mozilla/pkipolicy/issues/172 > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- Fotis Loukos, PhD Director of Security Architecture SSL Corp e: fot...@ssl.com w: https://www.ssl.com _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
