Re: Mozilla cert report - am I holding it wrong?

2019-04-09 Thread Nick Lamb via dev-security-policy
On Tue, 9 Apr 2019 14:07:55 -0400 Ryan Sleevi via dev-security-policy wrote: > I think it's merely a misparsing of the description. > > The intermediate you referenced - https://crt.sh/?id=197857126 - > chains to a "root in Mozilla's program with the Websites trust bit > set". That root is

Re: Mozilla cert report - am I holding it wrong?

2019-04-09 Thread Clint Wilson via dev-security-policy
On Tuesday, April 9, 2019 at 12:08:16 PM UTC-6, Ryan Sleevi wrote: > On Tue, Apr 9, 2019 at 11:25 AM Nick Lamb via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Mozilla's wiki has a page about the subCAs > > > > https://wiki.mozilla.org/CA/Intermediate_Certificates >

Re: Mozilla cert report - am I holding it wrong?

2019-04-09 Thread Ryan Sleevi via dev-security-policy
On Tue, Apr 9, 2019 at 11:25 AM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Mozilla's wiki has a page about the subCAs > > https://wiki.mozilla.org/CA/Intermediate_Certificates > > On that page I see a link labelled: > > "Non-revoked, non-expired

Re: Extension KeyUsage in Subscriber's Certificate

2019-04-09 Thread Ryan Sleevi via dev-security-policy
On Tue, Apr 9, 2019 at 10:39 AM Lijun Liao wrote: > Just makes it clear: The extension KeyUsage is optional in subscriber's > certificate. But what happens if it is present and is NOT critical? > RFC 5280 says SHOULD, not MUST. RFC 2119 defines SHOULD as: 3. SHOULD This word, or the

Mozilla cert report - am I holding it wrong?

2019-04-09 Thread Nick Lamb via dev-security-policy
Mozilla's wiki has a page about the subCAs https://wiki.mozilla.org/CA/Intermediate_Certificates On that page I see a link labelled: "Non-revoked, non-expired Intermediate CA Certificates chaining up to roots in Mozilla's program with the Websites trust bit set" And clicking that link produces

Re: Extension KeyUsage in Subscriber's Certificate

2019-04-09 Thread Lijun Liao via dev-security-policy
Just makes it clear: The extension KeyUsage is optional in subscriber's certificate. But what happens if it is present and is NOT critical? On Tue, 9 Apr 2019, 16:29 Ryan Sleevi wrote: > 1. Open > https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.4.pdf > 2. Search for "KeyUsage" >

Re: Extension KeyUsage in Subscriber's Certificate

2019-04-09 Thread Ryan Sleevi via dev-security-policy
1. Open https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.4.pdf 2. Search for "KeyUsage" - 11 occurrences #1 7.1.2.1 Root CA Certificate b. keyUsage This extension MUST be present and MUST be marked critical ... #3 7.1.2.2 Subordinate CA Certificate e. keyUsage This

Extension KeyUsage in Subscriber's Certificate

2019-04-09 Thread Lijun Liao via dev-security-policy
The extension KeyUsage in subscriber's certificate SHOULD be marked as critical as in RFC 5280. What if it is not set? Does this violate the Baseline Requirements or any rules used by Mozilla Security Policy? Best regards Lijun ___ dev-security-policy