How to Create and Audit Case in CCADB
CAs, I have updated the instructions for creating an Audit Case in the CCADB, and have added a video that demonstrates the process. https://www.ccadb.org/cas/updates#instructions Please let me know if you have any questions about the updated process. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Add Ben Wilson as Peer of Mozilla's CA Certificates and CA Certificate Policy modules
All, I propose adding Ben Wilson as a peer[1] of Mozilla's CA Certificates Module[2] and CA Certificate Policy Module[3]. As you know, Ben and I are distributing the job of running Mozilla's CA Program between us, so Ben will continue to actively work on both of these Modules. Thanks, Kathleen [1] https://wiki.mozilla.org/Modules [2] https://wiki.mozilla.org/Modules/All#CA_Certificates [3] https://wiki.mozilla.org/Modules/All#Mozilla_CA_Certificate_Policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: EKU is required in each Subordinate CA certificate
Yes, that date comes from the Mozilla Root Program, but this requirement is new for the other Root Programs and for the BR. The other thing is that without having an indicated effect date, the requirement can be interpreted in that way, that every valid Subordinate CA certificate shall comply this requirement, even if it has been issued years ago. I would just like to get confirmation that this requirement does not mean that all subordinate CA certificates that are currently non-compliant shall be revoked, which were issued prior to the effective date. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
EKU is required in each Subordinate CA certificate
You could find the following requirement in the latest Baseline Requirement: 7. CERTIFICATE, CRL, AND OCSP PROFILES 7.1 Certificate profile 7.1.2 Certificate Content and Extensions; Application of RFC 5280 7.1.2.2 Subordinate CA Certificate ... g. extkeyUsage (optional/required) For Cross Certificates ... For all other Subordinate CA Certificates, including Technically Constrained Subordinate CA Certificates: This extension MUST be present and SHOULD NOT be marked critical. ... If I understand this requirement correctly, each Subordinate CA certificate (excluding the above mentioned Cross Certificates) shall contain the EKU extension. Does it mean that all Subordinate CA certificates issued after a specific date shall contain the EKU extension? What is the effect date of this requirement? Is it 20 August 2020, as the issue date of this version of the Baseline Requirement? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy