On 03/10/16 23:43, [email protected] wrote: [snip] > Regards, > > Kathleen Wilson Mozilla CA Program Manager > > ACTION #1a: As previously communicated, CAs should no longer be > issuing SHA-1 certificates chaining up to root certificates included > in Mozilla's CA Certificate Program. Check your systems and those of > your subordinate CAs to ensure that SHA-1 certificates chaining up to > your included root certificates are no longer being issued. Please > enter the last date that a SHA-1 certificate was issued that chained > up to your root certificate(s) included in Mozilla's program. > (Required)
Mozilla should make clear how this question should be answered with respect to issuance of: a) SHA-1 subCAs which are constrained by EKU to not issue TLS server or email certs (e.g. for code signing); b) SHA-1 end-entity certificates which are constrained by EKU to not be for TLS servers or email certs but whose issuing subCA is not so constrained; c) SHA-1 end-entity certificates which are not constrained by EKU but lack a common name or SAN which can be used a server name or email address; and d) SHA-1 end-entity certificates whose parent CA is constrained by EKU to not be for TLS server or email certs; The question as written would seem to me to apply to all of these (since "SHA-1 certificates chaining up to your included root certificates" is not qualified), but it seems, from inclusion request discussion, that CAs tend to think that "out of scope" certificates need not be mentioned. [snip] > ACTION #6: All certificates that directly or transitively chain to > your root certificate(s) included in Mozilla's CA Certificate Program > must comply with Mozilla's CA Certificate Policy. This includes test > certificates. > > Review your policies, procedures, and auditing about issuance of test > certificates, what domain names may be used in test certificates, and > the domain verification procedures that must be followed for test > certificates. > > [TBD] What else should we say here? -- What sort of responses to we > want from CAs? -- Rules about testing and test certs (per Symantec > incident) -- What sorts of things do we want to make sure CAs do and > don't do regarding testing? (Required) Maybe a reminder that test certificates Mozilla expects test certificates to follow the domain validation procedures in the CA's CP/CPS (that Mozilla presumably reviewed) and not just be issued in compliance with the BRs per se? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
