Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

Thu, 12 Nov 2015 05:21:08 -0800 

On 10/11/2015 10:08 μμ, Kathleen Wilson wrote:

All,

I have been asked to consider updating Mozilla's CA Certificate Policy
to clarify that a ccTLD is not acceptable in permittedSubtrees for
technically constraining subordinate CA certs.

In section 7.1.5 of version 1.3 of the Baseline Requirement it says:
"(a) For each dNSName in permittedSubtrees, the CA MUST confirm that
the Applicant has registered the dNSName or has been authorized by the
domain registrant to act on the registrant's behalf in line with the
verification practices of section 3.2.2.4."

And in
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
section 9 says: "For each dNSName in permittedSubtrees, the issuing CA
MUST confirm that the subordinate CA has registered the dNSName or has
been authorized by the domain registrant to act on the registrant’s
behalf. Each dNSName in permittedSubtrees must be a registered domain
(with zero or more subdomains) according to the Public Suffix List
algorithm."

I don't see how a CA could confirm that the subordinate owns/controls
all of the domains for a ccTLD (e.g. *.uk). So, it seems to me that
any subordinate CA that has a ccTLD in permittedSubtrees does not meet
the BR or Mozilla requirements regarding being technically constrained.

So, should we specifically state (in the requirements regarding a
subCA being technically constrained) that permittedSubtrees cannot
contain a ccTLD?

Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
I would like to clarify that there might be cases where a subCA is properly audited but also wishes to be technically constrained under a TLD or a second level domain, such as .com.gr, even if it is not the legal entity operating the whole domain, in order to minimize possible exposure and risk. I think this discussion is coming to decide in which circumstances it is required to have a full audit or not. If the permittedSubtrees has a dNSName for which the subCA has complete domain control, then according to the current mozilla policy, it does not need to be audited by an external auditor. In all other cases, subCAs must be properly audited. Perhaps this statement makes it clearer. 


Best regards,
Dimitris Zacharopoulos.

_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to