(Replying for the correct address this time) On Fri, Aug 16, 2019 at 4:28 PM Jason via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Hi All, > > This is Jason from the Microsoft PKI Services team. I’d like to add some > context to the note about the certs issued from the Microsoft RSA Root > Certificate Authority 2017. As you can see, these were all issued to a > domain registered to Microsoft. While these clearly violate the Subject > profile requirements in Section 7 of the BRs, nearly all the certs listed > meet the requirements for Test Certificate as listed in Section 1.6.1 of > the BRs, including the presence of the “Test” OID (2.23.140.2.1) in a > critical extension. A few of the test issuances did not meet the > requirements of 1.6.1 and we have adjusted our policy enforcement > mechanisms accordingly as a result. That said, we have created an incident > around this for purposes of reporting to our auditors. Please feel free to > let me know if you have questions. > > Thanks, > Jason Cooper > While this thread has closed, and Microsoft's roots have been included, I want to circle back on this, as recently another CA brought this up. Microsoft's answer here is not correct, and is actually quite concerning. Microsoft included the "Test" OID ( 2.23.140.2.1 ) not as a critical /extension OID/, but as the contents within an extension (specifically, certificatePolicies). This is actually quite concerning. The purpose of the "Test" OID was to be a 'poison' extension - i.e. an unrecognized critical extension that prevents the certificate from being usable - not a general "you can stick this anywhere in the cert" (e.g. within a QCStatements, for example). However, equally important is that while the term "Test Certificate" is included within the BRs, it's actually part of a specific reference to a particular validation method, within 3.2.2.4.9, which MUST NOT be used. So there's nothing in the BRs that authorize this Test Certificate, and the certificate does not contain "an extension with the specified Test Certificate CABF OID (2.23.140.2.1)" - i.e. an extension with the OID "2.23.140.2.1" is not present. I felt it important to correct this, on the thread, since this was the first occurrence of this misinterpretation. It also represents a Serious Misissuance by Microsoft, as it not only missed the requirements for Test Certificate, but also missed where they were explicitly forbidden from use. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
