Re: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy Constraints

Fri, 16 Oct 2020 04:32:24 -0700 


On 2020-10-15 11:36 μ.μ., Ben Wilson via dev-security-policy wrote:

  This issue is presented for resolution in the next version of the Mozilla
Root Store Policy. It is related to Issue #147
<https://github.com/mozilla/pkipolicy/issues/147> (previously posted for
discussion on this list on 6-Oct-2020).

Possible language is presented here:
https://github.com/BenWilson-Mozilla/pkipolicy/commit/c1acc76ad9f05038dc82281532fb215d71d537d4

In addition to replacing "if issuing EV certificates" with "if capable of
issuing EV certificates" in two places -- for WebTrust and ETSI audits --
it would be followed by "(i.e. a subordinate CA under an EV-enabled root
that contains no EKU or the id-kp-serverAuth EKU or anyExtendedKeyUsage
EKU, and a certificatePolicies extension that asserts the CABF EV OID of
2.23.140.1.1, the anyPolicy OID, or the CA's EV policy OID)." Thus, Mozilla
considers that a CA is capable of issuing EV certificates if it is (1) a
subordinate CA (2) under an EV-enabled root (3) that contains no EKU or the
id-kp-serverAuth EKU or anyExtendedKeyUsage EKU, and (4) a
certificatePolicies extension that asserts the CABF EV OID of 2.23.140.1.1,
the anyPolicy OID, or the CA's EV policy OID.

I look forward to your suggestions.


Hello Ben,

I am trying to understand the expectations from Mozilla:


- If a CA that has an EV-capable RootCA , uses a subCA Certificate that 
contains the id-kp-serverAuth EKU and the anyPolicy OID that does not 
issue EV end-entity Certificates, is this considered a policy violation 
if this subCA is not explicitly included in an EV audit scope (ETSI or 
WebTrust)?



- If a subCA Certificate that contains the id-kp-serverAuth EKU and the 
anyPolicy OID was not covered by an EV-scope audit (because it did not 
issue EV Certificates) and it later decides to update the profile and 
policies/practices to comply with the EV Guidelines for everything 
related to end-entity certificates in order to start issuing EV 
Certificates and is later added to an EV-scope audit, is that an allowed 
practice? Judging from the current EV Guidelines I didn't see anything 
forbidding this practice. In fact this is supported via section 17.4.



The proposed language is a bit confusing so hopefully by getting 
Mozilla's position on the above two questions, we can propose some 
improvements.



Best regards,
Dimitris.




Thanks,

Ben
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to