On Monday, March 14, 2016 at 5:28:32 PM UTC-7, Charles Reiss wrote: > > ACTION #1a: As previously communicated, CAs should no longer be > > issuing SHA-1 certificates chaining up to root certificates included > > in Mozilla's CA Certificate Program. Check your systems and those of > > your subordinate CAs to ensure that SHA-1 certificates chaining up to > > your included root certificates are no longer being issued. Please > > enter the last date that a SHA-1 certificate was issued that chained > > up to your root certificate(s) included in Mozilla's program. > > (Required) > > Mozilla should make clear how this question should be answered with > respect to issuance of: > a) SHA-1 subCAs which are constrained by EKU to not issue TLS server or > email certs (e.g. for code signing); > b) SHA-1 end-entity certificates which are constrained by EKU to not be > for TLS servers or email certs but whose issuing subCA is not so > constrained; > c) SHA-1 end-entity certificates which are not constrained by EKU but > lack a common name or SAN which can be used a server name or email > address; and > d) SHA-1 end-entity certificates whose parent CA is constrained by EKU > to not be for TLS server or email certs; > > The question as written would seem to me to apply to all of these (since > "SHA-1 certificates chaining up to your included root certificates" is > not qualified), but it seems, from inclusion request discussion, that > CAs tend to think that "out of scope" certificates need not be mentioned. >
Does the following text clear it up? ACTION #1a: As previously communicated, CAs should no longer be issuing SHA-1 certificates chaining up to root certificates included in Mozilla's CA Certificate Program. This includes TLS/SSL and S/MIME certificates, as well as any intermediate certificates that they chain up to. Check your systems and those of your subordinate CAs to ensure that SHA-1 based TLS/SSL and S/MIME certificates chaining up to your included root certificates are no longer being issued. Please enter the last date that a SHA-1 based TLS/SSL certificate was issued that chained up to your root certificates included in Mozilla's program. (Required) > [snip] > > ACTION #6: All certificates that directly or transitively chain to > > your root certificate(s) included in Mozilla's CA Certificate Program > > must comply with Mozilla's CA Certificate Policy. This includes test > > certificates. > > > > Review your policies, procedures, and auditing about issuance of test > > certificates, what domain names may be used in test certificates, and > > the domain verification procedures that must be followed for test > > certificates. > > > > [TBD] What else should we say here? -- What sort of responses to we > > want from CAs? -- Rules about testing and test certs (per Symantec > > incident) -- What sorts of things do we want to make sure CAs do and > > don't do regarding testing? (Required) > > Maybe a reminder that test certificates Mozilla expects test > certificates to follow the domain validation procedures in the CA's > CP/CPS (that Mozilla presumably reviewed) and not just be issued in > compliance with the BRs per se? How about the following? ACTION #6: All certificates that directly or transitively chain to your root certificates included in Mozilla's CA Certificate Program must comply with Mozilla's CA Certificate Policy. This includes test certificates. Review your policies, procedures, and auditing about issuance of test certificates, what domain names may be used in test certificates, and the domain verification procedures that must be followed for test certificates. (Required) [checkbox] I confirm that I understand that all TLS/SSL certificates chaining up root certificates included in Mozilla's CA Certificate Program, without exception, must conform to Mozilla's CA Certificate Policy and the domain validation procedures documented in our CP/CPS. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
