On 07/03/2016 11:36, Rob Stradling wrote:
On 04/03/16 23:14, Matt Palmer wrote:
On Fri, Mar 04, 2016 at 09:19:36PM +0000, Rob Stradling wrote:
Maybe we need to take a different approach that ignores the end-entity
certificate profile completely. How about we propose that...
- An X.509 certificate is in scope for the BRs if it's signed by an
Issuing CA that is in scope.
- An Issuing CA is in scope if:
i) it chains to a Root Certificate that is trusted for server
authentication
You'll want to describe *who* trusts the root.
Hi Matt. I thought somebody might point that out. Sorry for my
handwaviness. ;-)
"*who* trusts" is indeed important, but it wasn't the aspect of the
scope problem I was trying to solve with my previous post.
I trust lots of private PKI
roots for server authentication in my own gear, but they're never going
mainstream.
Perhaps "it chains to a Root Certificate that is trusted, or is
intended to
be trusted, by one or more Browser members of the CA/Browser Forum for
server authentication"? The "intended to be trusted" is to make sure
that
candidates for browser trust programs know they're on the hook, too.
- Matt
How about "It chains to a Root certificate claiming compliance with
these BRs". This is a clear condition with a well-defined and
controllable meaning. Either a CA root is intended as a CAB/F
compliant root submitted to all the relevant browser related trust
lists and thus would seek compliance with the BR, or that root (even if
operated by the same entity as a BR compliant root) doesn't do that.
And while we are at it, we also need to look at what the scope rules
would be for e-mail and code certificates and CAs. E-mail because of
Thunderbird.
Code certificates because while the Mozilla corporate folks have
abandoned the concept, many other people have not, and this Mozilla
forum remains the primary contact point between the open source
community and the CAs, partially because many Open Source distributions
(including at least Debian and Ubuntu) use the Mozilla CA list as the
basis for their system-wide general purpose certificate stores.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
