All,
I have been asked to consider updating Mozilla's CA Certificate Policy
to clarify that a ccTLD is not acceptable in permittedSubtrees for
technically constraining subordinate CA certs.
In section 7.1.5 of version 1.3 of the Baseline Requirement it says:
"(a) For each dNSName in permittedSubtrees, the CA MUST confirm that the
Applicant has registered the dNSName or has been authorized by the
domain registrant to act on the registrant's behalf in line with the
verification practices of section 3.2.2.4."
And in
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
section 9 says: "For each dNSName in permittedSubtrees, the issuing CA
MUST confirm that the subordinate CA has registered the dNSName or has
been authorized by the domain registrant to act on the registrant’s
behalf. Each dNSName in permittedSubtrees must be a registered domain
(with zero or more subdomains) according to the Public Suffix List
algorithm."
I don't see how a CA could confirm that the subordinate owns/controls
all of the domains for a ccTLD (e.g. *.uk). So, it seems to me that any
subordinate CA that has a ccTLD in permittedSubtrees does not meet the
BR or Mozilla requirements regarding being technically constrained.
So, should we specifically state (in the requirements regarding a subCA
being technically constrained) that permittedSubtrees cannot contain a
ccTLD?
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
