On Mon, Oct 7, 2019 at 11:26 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 07/10/2019 16:52, Ryan Sleevi wrote:
> > I'm curious how folks feel about the following practice:
> >
> > Imagine a CA, "Foo", that creates a new Root Certificate ("Root 1"). They
> > create this Root Certificate after the effective date of the Baseline
> > Requirements, but prior to Root Programs consistently requiring
> compliance
> > with the Baseline Requirements (i.e. between 2012 and 2014). This Root
> > Certificate does not comply with the BRs' rules on Subject: namely, it
> > omits the Country field.
>
> Clarification needed: Does it omit Country from the DN of the root 1
> itself, from the DN of intermediary CA certs and/or from the DN of End
> Entity certs?
>
It's as I stated: The Subject of the Root Certificate omits the Country
field.
> >
> > Later, in 2019, Foo takes their existing Root Certificate ("Root 2"),
> > included within Mozilla products, and cross-signs the Subject. This now
> > creates a cross-signed certificate, "Root 1 signed-by Root 2", which has
> a
> > Subject field that does not comport with the Baseline Requirements.
>
> Nit: Signs the Subject => Signs Root 1
>
Perhaps it would be helpful if you were clearer about what you believe you
were correcting.
I thought I was very precise here, so it's useful to understand your
confusion:
Root 2, a root included in Mozilla products, cross-signs Root 1, a root
which omits the Country field from the Subject.
This creates a certificate, whose issuer is Root 2 (a Root included in
Mozilla Products), and whose Subject is Root 1. The Subject of Root 1 does
not meet the BRs requirements on Subjects for intermediate/root
certificates: namely, the certificate issued by Root 2 omits the C, because
Root 1 omits the C.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
