Hello everyone, This is the first time I am writing here. I've been reading for a time (part) of this list and the Bugzilla section of the CA Program. I hope I can cooperate. I am specially interested on the technical aspects and legal implications that electronic certificates have on the EU, as laws are appearing and the public opinion are unaware of that.
Well, back to the issue, I've seen Bug 1394595 (https://bugzilla.mozilla.org/show_bug.cgi?id=1394595) where Firmaprofesional requests the addition of a subCA to OneCRL because the subCA is not technically constrained and, for prevention, wants to avoid any misissuance of TLS certificates. I congratulate Firmaprofesional for making this move in favor of transparency and tech security. This becomes after that FNMT got one subCA added to OneCRL because of the addition of anyExtendedKeyUsage to its personal certs (https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/Qo1ZNwlYKnY/UrAodnoQBwAJ). And a similar subCA is on the way of being added to OneCRL for prevention. But I find an issue here. The root has both websites and email trust bits. The subCA cert is not constrained. The representative of the CA want to add the subCA to OneCRL because this subCA doesn't issue TLS certificates. OneCRL and the CA program acts on both Firefox (if websites trust bit enabled) and Thunderbird (if email trust bit enabled). If a subCA is added to OneCRL, all certs that chain up to it get untrusted -for both bits. I am not quite sure how many people receive on their Thunderbird client emails signed with a personal electronic certificate, but I think we can agree that they are fewer than all Firefox users. So, my questions are, - Should CAs that ONLY have the websites trust bit get all its subCAs -that do not issue TLS certificates and the intermediate certificate is not technologically constrained- added to OneCRL just for prevention? Should this become mandatory? - Should CAs that have BOTH trust bits get all its subCAs -that issue personal certificates but email-signing is not advertised to their consumers (e.g. the consumer gets the certificate to be able to do some bureaucratic procedures with the Government) and the intermediate certificate is not technologically constrained- added to OneCRL just for prevention? Should this become mandatory? - Should CAs that have BOTH trust bits get all its subCAs -that issue certificates that are not TLS neither related to email signing and the intermediate certificate is not technologically constrained- added to OneCRL just for prevention? Should this become mandatory? Greetings, Víctor _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy