Kathleen -
In looking at this Draft CA Communications, I looked at the description of
Behavior change and #5 doesn't look like the change is the right interpretation:
5. If the inhibitAnyPolicy extension is present in an intermediate certificate
or trust anchor and children certificates have a certificate policy extension
the verification will fail. bug 989051
According to RFC 5280:
The inhibit anyPolicy extension can be used in certificates issued to CAs. The
inhibit anyPolicy extension indicates that the special anyPolicy OID, with the
value { 2 5 29 32 0 }, is not considered an explicit match for other
certificate policies except when it appears in an intermediate self-issued CA
certificate. The value indicates the number of additional non-self-issued
certificates that may appear in the path before anyPolicy is no longer
permitted. For example, a value of one indicates that anyPolicy may be
processed in certificates issued by the subject of this certificate, but not in
additional certificates in the path.
The inhibitAnyPolicy extension does not mean that a certificate Policy
extension can't be in the end entity certificate or any intermediate
certificates in the chain, it means that the "anyPolicy OID" is not valid
further down in the certificate path. It would be used when you want to ensure
a specific certificate policy is in the path all the way to the end-entity
certificate.
Thanks,
Wendy
Wendy Brown
FPKIMA Technical Liaison
Protiviti Government Services
703-299-4705 (office) 703-965-2990 (cell)
[email protected]
[email protected]
Date: Mon, 28 Apr 2014 12:04:15 -0700
From: Kathleen Wilson <[email protected]<mailto:[email protected]>>
To:
[email protected]<mailto:[email protected]>
Subject: DRAFT: May CA Communication
Message-ID:
<[email protected]<mailto:[email protected]>>
Content-Type: text/plain; charset=windows-1252; format=flowed
All,
Here is a DRAFT CA Communication that I would like to send next week. I will
greatly appreciate your thoughtful and constructive feedback on it.
Previous CA Communications: https://wiki.mozilla.org/CA:Communications
** DRAFT CA Communication **
Subject: Mozilla Communication: Action requested by <date>
Dear Certification Authority,
This note requests a set of actions on your behalf, as a participant in
Mozilla's CA Certificate Program. Please reply by <date>, with your response to
these action items. A compiled list of CA responses to the following action
items will be published.
Mozilla's CA Certificate Inclusion Policy:
http://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/
Mozilla's spreadsheet of included root certificates:
http://www.mozilla.org/about/governance/policies/security-group/certs/included/
1) Ensure that Mozilla?s spreadsheet of included root certificates has the
correct link to your most recent audit statement, and that the date of the
audit statement is correct. As per Mozilla's CA Certificate Policy, we require
that all CAs whose certificates are distributed with our software products
provide us an updated statement annually of attestation of their conformance to
the stated verification requirements and other operational criteria by a
competent independent party or parties.
Please respond with one of the following:
A) Mozilla?s spreadsheet of included root certificates has the correct link to
our most recent audit statement, and the audit statement date is correct.
B) Here is the most recent audit statement for our certificates that are
included in Mozilla?s CA program: <insert link here>
C) We plan to send Mozilla our current audit statement by <insert date
here>.
2) Send Mozilla the link to your most recent Baseline Requirements audit
statement. Details about Mozilla's audit requirements are listed in section 11
of Mozilla's CA Certificate Inclusion Policy.
Please respond with one of the following:
A) Mozilla?s spreadsheet of included root certificates has the correct link to
our most recent Baseline Requirements audit statement.
B) Here is the most recent Baseline Requirements audit statement for our
certificates that are included in Mozilla?s CA program: <insert link here>
C) We plan to send Mozilla our current Baseline Requirements audit statement by
<insert date here>.
D) The websites (SSL/TLS) trust bit is not enabled for our certificates that
are included in Mozilla's CA program.
3) Test Mozilla's new Certificate Verification library with your CA hierarchies
and inform your customers of the upcoming changes as needed.
The new Certificate Verification library (mozilla::pkix) was announced
here:
https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/
Mozilla::pkix includes some changes in support of current best practices and
policies, as listed here:
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Behavior_Changes
How to test:
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Request_for_Testing
Please respond with one of the following:
A) We have tested certificates in our CA hierarchy with Mozilla's new
Certificate Verification library, and found that the certificates in our CA
hierarchies are not impacted by the changes introduced in mozilla::pkix.
B) We have found the following issues when testing certificates in our CA
hierarchy with mozilla::pkix. <descriptions or Bugzilla bug numbers, related
URLs and/or certificates>
C) We are testing certificates in our CA hierarchy with Mozilla's new
Certificate Verification library, and plan to send Mozilla our results by
<insert date here, must be before June 30, 2014>.
4) Check your certificate issuance to confirm that no new certificates will be
issued with the problems listed here:
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix
Please respond with one of the following:
A) We have not and will not issue certificates with the problems listed in the
mozpkix-testing#Things_for_CAs_to_Fix wiki page.
B) We have previously issued certificates with the following problems listed in
the mozpkix-testing#Things_for_CAs_to_Fix wiki page: <list the problems that
needed to be fixed>. The last of those certificates expire <insert dates here>.
We will not issue new certificates with the problems listed in the
mozpkix-testing#Things_for_CAs_to_Fix wiki page as of this date: <date when
your operations will be updated, no later than June 30, 2014>
5) Send Mozilla information about your publicly disclosed intermediate
certificates that chain up to certificates in Mozilla's CA program, as per
Items #8, 9, and 10 of Mozilla's CA Certificate Inclusion Policy.
Please respond with one of the following:
A) All intermediate certificates chaining up to our certificates in Mozilla's
CA program are either included in our annual audits and listed in our annual
audit statements, or are technically constrained according to section 9 of
Mozilla's CA Certificate Inclusion Policy.
B) The required information, according to section 10 of Mozilla's CA
Certificate Inclusion Policy, is available here: <URL to a web page, or
Bugzilla Bug Number>.
Participation in Mozilla's CA Certificate Program is at our sole discretion,
and we will take whatever steps are necessary to keep our users safe.
Nevertheless, we believe that the best approach to safeguard that security is
to work with CAs as partners, to foster open and frank
communication, and to be diligent in looking for ways to improve.
Thank you for your cooperation in this pursuit.
Regards,
Kathleen Wilson, Module Owner of Mozilla's CA Certificates Module
** END DRAFT **
NOTICE: Protiviti is a global consulting and internal audit firm composed of
experts specializing in risk and advisory services. Protiviti is not licensed
or registered as a public accounting firm and does not issue opinions on
financial statements or offer attestation services.
This electronic mail message is intended exclusively for the individual or
entity to which it is addressed. This message, together with any attachment,
may contain confidential and privileged information. Any views, opinions or
conclusions expressed in this message are those of the individual sender and do
not necessarily reflect the views of Protiviti Inc. or its affiliates. Any
unauthorized review, use, printing, copying, retention, disclosure or
distribution is strictly prohibited. If you have received this message in
error, please immediately advise the sender by reply email message to the
sender and delete all copies of this message. Thank you.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
