I feel like this item needs to be further discussed... 1) section 1.1 of Mozilla's Root Store Policy (MRSP) <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#11-scope> limits the scope of the policy to "intermediate certificates which are technically capable of issuing working server or email certificates". So my understanding is that the proposed changes would mean that all intermediate certificates which are technically capable of issuing working server or email certificates must be disclosed in the CCADB, even if they are name constrained. And the proposed changes would NOT mean that intermediate certificates would need to be disclosed in the CCADB when they contain an Extended Key Usage (EKU) extension which does not contain any of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth, id-kp-emailProtection. Correct?
2) Just wondering... How do you all think that requiring disclosure of technically-constrained intermediate certs in the CCADB improves security for end-users? > I have made an attempt to address this further with some commits in my > GitHub repository: > > > https://github.com/mozilla/pkipolicy/compare/1829373903c8d58246c781ee11ea77d6d386985a... > e6550dba22ed38ac6bdd33677a8bf3d2f00e75de > > 3) regarding the proposed change in the first paragraph of section 5.3 from "Certificate Program MUST be operated in accordance with this policy and MUST either be technically constrained or be publicly disclosed and audited." to "Certificate Program MUST be operated in accordance with this policy and MUST either be technically constrained or be audited." My interpretation of the original sentence was: "MUST either be technically constrained or (be publicly disclosed and audited)." meaning that 3rd-party audit statements would have to be provided. I do NOT interpret it as meaning that technically-constrained intermediate certificates do not have to be audited at all. The BRs provide specific requirements for the oversight of technically-constrained intermediate certificates that I view as the minimum oversight that should be done for such intermediate certificates. Therefore, I think that first paragraph should be changed to: All certificates that are capable of being used to issue new certificates which are technically capable of issuing working server or email certificates and that directly or transitively chain to a CA certificate included in Mozilla’s CA Certificate Program MUST be operated in accordance with this policy and MUST be publicly disclosed in the CCADB. 4) Regarding these changes: > Move the 4th paragraph in MRSP § 5.3 to the first paragraph of § 5.3.2. > Move content from the second bullet in MRSP § 5.3.2 to the first paragraph and eliminate the bulleted list. I think the new text of section 5.3.2 looks OK, except 4.a) Move this to its own paragraph: Name Constrained CA certificates that were exempt from disclosure in previous versions of this policy MUST be disclosed in the CCADB prior to July 1, 2022. 4.b) We CANNOT delete the sentence, "All disclosure MUST be made freely available..." We must keep that text, especially for audit statements. So keep this text as a separate paragraph: All disclosure MUST be made freely available and without additional requirements, including, but not limited to, registration, legal agreements, or restrictions on redistribution of the certificates in whole or in part. Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/19d586b7-9e74-46d2-b2a4-de440913e5f2n%40mozilla.org.
