Proposal: Advocate to get Section 9.3.1 (Reserved Certificate Policy Identifiers) made mandatory.

[nick . lowe]

It would be great to see Mozilla propose and advocate to have section 9.3.1 of 
the BRs, Reserved Certificate Policy Identifiers, to be made mandatory with the 
CA/Browser forum. Presently this section of the BRs is only optional.

The text as of revision 1.1.8 reads:

"9.3.1 Reserved Certificate Policy Identifiers

The following Certificate Policy identifiers are reserved for use by CAs as an 
optional means of asserting compliance with these Requirements as follows:

{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) 
certificate-policies(1) baseline- requirements(2) domain-validated(1)} 
(2.23.140.1.2.1), if the Certificate complies with these Requirements but lacks 
Subject Identity Information that is verified in accordance with Section 11.2.

If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it 
MUST NOT include organizationName, streetAddress, localityName, 
stateOrProvinceName, or postalCode in the Subject field.

{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) 
certificate-policies(1) baseline- requirements(2) 
subject-identity-validated(2)} (2.23.140.1.2.2), if the Certificate complies 
with these Requirements and includes Subject Identity Information that is 
verified in accordance with Section 11.2.

If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it 
MUST also include organizationName, localityName, stateOrProvinceName (if 
applicable), and countryName in the Subject field."

The status quo today means that it is not possible to discriminate 
programatically between a DV and OV certificate in a standardized, reliable way.

This is unreasonable as the validation and assurance on such certificates are 
very different. This should, therefore, be reflected in the certificates that 
are issued by CAs but this is typically not the case today.

Changing the BRs to make this mandatory going forward would address this over 
time as existing certificates expire and are renewed.

Thanks,

Nick
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy