Hi Kathleen. Apologies, as I should have sent my previous request concerning hypothetical S/MIME ccTLD usage in response to this post. My main concern was not to cover S/MIME and SSL Server Certificates with a single rule.
I hope that came across clearly. Thanks. Steve Sent from my iPhone > On 10 Nov 2015, at 20:08, Kathleen Wilson <[email protected]> wrote: > > All, > > I have been asked to consider updating Mozilla's CA Certificate Policy to > clarify that a ccTLD is not acceptable in permittedSubtrees for technically > constraining subordinate CA certs. > > In section 7.1.5 of version 1.3 of the Baseline Requirement it says: > "(a) For each dNSName in permittedSubtrees, the CA MUST confirm that the > Applicant has registered the dNSName or has been authorized by the domain > registrant to act on the registrant's behalf in line with the verification > practices of section 3.2.2.4." > > And in > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ > section 9 says: "For each dNSName in permittedSubtrees, the issuing CA MUST > confirm that the subordinate CA has registered the dNSName or has been > authorized by the domain registrant to act on the registrant’s behalf. Each > dNSName in permittedSubtrees must be a registered domain (with zero or more > subdomains) according to the Public Suffix List algorithm." > > I don't see how a CA could confirm that the subordinate owns/controls all of > the domains for a ccTLD (e.g. *.uk). So, it seems to me that any subordinate > CA that has a ccTLD in permittedSubtrees does not meet the BR or Mozilla > requirements regarding being technically constrained. > > So, should we specifically state (in the requirements regarding a subCA being > technically constrained) that permittedSubtrees cannot contain a ccTLD? > > Kathleen > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
