On 5/12/14, 2:24 PM, Jeremy Rowley wrote:
Kathleen,
Can you explain #5 a bit? I apologize if this was previously answered, but
does this rule apply to all intermediates used by the CA itself or only
those existing outside of the CA's PKI? Seems like ones operated solely by
Te CA(and covered by the CA's audit) don't necessarily require disclosure
(since they are under the audit). My confusion comes because of the use of
"cross-certificate" in some parts of 8 where as other sections use
"subordinate CA certificates". Can this be clarified?
Jeremy
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
--
8. All certificates that are capable of being used to issue new
certificates, and which directly or transitively chain to a certificate
included in Mozilla’s CA Certificate Program, MUST be operated in
accordance with Mozilla’s CA Certificate Policy and MUST either be
technically constrained or be publicly disclosed and audited.
- A certificate is deemed as capable of being used to issue new
certificates if it contains an X.509v3 basicConstraints extension, with
the cA boolean set to true. *The term "subordinate CA" below refers to
any organization or legal entity that is in possession or control of a
certificate that is capable of being used to issue new certificates.*
- These requirements include all cross-certified certificates which
chain to a certificate that is included in Mozilla’s CA Certificate Program.
9. We encourage CAs to technically constrain all subordinate CA
certificates. For a certificate to be considered technically
constrained, ...
10. We recognize that technically constraining subordinate CA
certificates as described above may not be practical in some cases. All
certificates that are capable of being used to issue new certificates,
that are not technically constrained, and that directly or transitively
chain to a certificate included in Mozilla’s CA Certificate Program MUST
be audited in accordance with Mozilla’s CA Certificate Policy and MUST
be publicly disclosed by the CA that has their certificate included in
Mozilla’s CA Certificate Program....
--
The second bullet of #8 says that the term "subordinate CAs" includes
"cross-certified certificates". i.e. a "cross-certificate certificate"
is a type of "subordinate CA".
When I read the above portions of the policy, I interpret it as saying
that all certificates with isCA=TRUE must either be technically
constrained (as described in #9) or publicly disclosed and audited (as
described in #10).
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
