On 03/30/2015 09:23 AM, Gervase Markham wrote: > On 30/03/15 16:34, Richard Barnes wrote: >> Adding the intermediates would allow CNNIC to continue to issue end-entity >> certificates, and not penalize site owners immediately (as Peter notes). >> However, it would prevent the acceptance of other intermediates, since the >> improper issuance of intermediates is the immediate issue here. > > This is only true if we are aware of all existing in-use CNNIC > intermediates, and that they all have an explit pathLength constraint of > 0. A higher constraint, or none at all, would allow CNNIC to issue > further intermediates off the whitelisted intermediates. > >> As a compromise, however, I would be willing to add the CNNIC intermediates >> to the Mozilla root list (F). (Ideally, with an additional path length >> constraint, set to zero.) > > Ah, I see you have covered this. If the CNNIC intermediates do not have > such a constraint, we could add one artificially, but AIUI that would > require custom code.
Since we never have to verify signatures on trust anchors, we can make modifications to the information they contain without causing verification failures. In this case, if we add those intermediates as trust anchors, we can modify the basicConstraints extensions to each have a pathLenConstraint of 0. This shouldn't require custom user-agent code. >> Since CNNIC's policy regarding intermediates is the immediate issue here, >> this seems like a reasonable compromise. However, these intermediate >> certificates should not be admitted indefinitely. Rather, we should plan >> to remove them after a fixed time (say 6 months) or after CNNIC's >> re-application is resolved, whichever comes first. > > If CNNIC are required to re-apply from scratch, I believe the current > length of the application queue is longer than six months. That would > mean that it's likely the time limit you set would expire before the > determination of their re-inclusion. I imagine the actual length of time to keep the intermediates around is up for debate. In any case, it would still give sites time to move to a different CA. If we remove the CNNIC root (which I think we should), this sounds like a good trade-off between protecting our users and the compatibility concerns of root-removal. Cheers, David _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
