Proposal for version 2.3 of Mozilla's CA Certificate Policy:
Remove the code signing trust bit.
If this proposal is accepted, then there would be follow-up action items
that would need to happen after version 2.3 of the policy is published:
1) Remove any root certificates that do not have the Websites and/or
Email trust bit set.
2) Remove references to Code Signing trust bits from Mozilla’s wiki pages.
Note: This proposal came out of the discussion called "Remove Roots used
for only Email and CodeSigning?"
https://groups.google.com/d/msg/mozilla.dev.security.policy/8VdIUKX5MbU/LQIOjgTIGQAJ
I am separating it out into its own discussion at this point to make it
very clear that we are discussing this proposal as a change to version
2.3 of Mozilla's CA Certificate Policy.
== The proposed changes to the policy are as follows ==
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
In First paragraph change: “The certificates included by default have
their "trust bits" set for various purposes, so that the software in
question can use the CA certificates to verify certificates for SSL
servers, S/MIME email users, and digitally-signed code objects without
having to ask users for further permission or information.”
To
“The certificates included by default have their "trust bits" set for
various purposes, so that the software in question can use the CA
certificates to verify certificates for SSL servers and S/MIME email
users without having to ask users for further permission or information.”
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
In “7. We consider verification of certificate signing requests to be
acceptable if it meets or exceeds the following requirements: …”
Delete 4th bullet point:
“for certificates to be used for digitally signing code objects, the CA
takes reasonable measures to verify that the entity submitting the
certificate signing request is the same entity referenced in the
certificate or has been authorized by the entity referenced in the
certificate to act on that entity’s behalf;”
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
In “9. We encourage CAs to technically constrain all subordinate CA
certificates. …”
Delete 3rd bullet point:
“If the certificate includes the id-kp-codeSigning extended key usage,
then the certificate MUST contain a directoryName permittedSubtrees
constraint where each permittedSubtree contains the organizationName,
localityName (where relevant), stateOrProvinceName (where relevant) and
countryName fields of an address that the issuing CA has confirmed
belongs to the subordinate CA.”
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
In “18. To request that its certificate(s) be added to the default set a
CA should submit a formal request by…”
Delete: “, or digitally-signed executable code objects;”
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
In “10. Changes may be made to root certificates that are included in
Mozilla products as follows: …””
Change “disabling a root is the act of turning off one or more of the
three trust bits (Websites, Email, Code Signing)”
To
“disabling a root certificate is the act of turning off one or more of
the two trust bits (Websites, Email)”
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/
Change “4. A certificate is disabled by turning off one or more of the
three trust bits (Websites, Email, Code Signing).”
To
“4. A certificate is disabled by turning off one or more of the two
trust bits (Websites, Email).”
===
As always, I will appreciate your thoughtful and constructive feedback
on this proposal.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
