Thanks for pointing out my oversight, Rob. When I read that first paragraph I skipped over the first word, which is an important first word!
I was a little thrown by the last sentence, "a single issuing CA". I took that to mean root cert, but I guess they meant any intermediate within the chain? Does anyone have insight into why Microsoft wants to do this? Without the enforcement this is just a "you have to promise not to do this" and "okay we won't" situation. I don't see any point in that. Original Message From: Rob Stradling Sent: Wednesday, May 14, 2014 8:07 AM To: [email protected]; [email protected] Subject: Re: QuoVadis Request to Include Renewed Roots On 14/05/14 13:54, [email protected] wrote: > By my reading of the Microsoft requirements using separate intermediates is > insufficient: they must be root certificates. Peter, my reading of the Microsoft requirements [1] is that using separate intermediates is sufficient (although note the EKU requirement for non-legacy intermediates). "INTERMEDIATE / ISSUING CA CERTIFICATES ... Separation of SSL and Code Signing Key Uses Intermediate CA certificates under root certificates submitted for distribution by the Program must be configured to separate server authentication (SSL) from code signing and time stamping uses. A single issuing CA must not be used to issue both server authentication and code signing certificates. Rollover root certificates will not be accepted that combine server authentication with code signing uses unless the uses are separated by application of EKUs at the intermediate CA certificate level that are reflected in the whole certificate chain." [1] http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx > I'm not familiar with their reasoning behind that but I can imagine cases > where that could be a good idea (a consequence of Heartbleed perhaps). > Whatever the case may be, if you're going to have the rule then some > enforcement mechanism is necessary hence the need for a code-signing-only > cert in the trust store. > > I also would like to see an official statement regarding when the current > QuoVadis certs in the trust store may be removed. We should require a time > certain for when the "replaced certs" should be considered obsolete and thus > revoked via removal. > > > Original Message > From: Stephen Davidson > Sent: Monday, May 12, 2014 8:32 AM > To: Chema López; Kathleen Wilson > Cc: [email protected] > Subject: RE: QuoVadis Request to Include Renewed Roots > > QuoVadis is compliant with the Microsoft requirements, and has implemented > separate SHA256 intermediate CAs for the issuance of code signing > certificates. (More precisely stated, QuoVadis SSL certificates are not > issued from the same intermediate CAs as time stamping and code signing > certificates). > > Kind regards, Stephen Davidson > QuoVadis _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
