The following intermediate certificate is not "technically constrained"
according to the Policy. It contains id-kp-codeSigning, but does not
"contain a directoryName permittedSubtrees constraint where each
permittedSubtree contains the organizationName, localityName (where
relevant), stateOrProvinceName (where relevant) and countryName fields
of an address that the issuing CA has confirmed belongs to the
subordinate CA."
https://crt.sh/?sha1=4f5ea6a9e4ba30a4575dead4e4e9d3b2da66ea7b
https://wiki.mozilla.org/CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F
...says that "All certificates that are capable of being used to issue
new certificates, and which directly or transitively chain to their
certificate(s) included in Mozilla’s CA Certificate Program that are not
technically constrained as described in section 9 of Mozilla's CA
Certificate Inclusion Policy" need to be disclosed.
That page also says that this includes (emphasis mine) "every
intermediate certificate (chaining up to a root certificate in Mozilla's
program with the Websites trust bit enabled) that is not Technically
Constrained via Extended Key Usage *and* Name Constraint settings."
So far, ISTM that this intermediate certificate MUST be disclosed to
Salesforce.
However, then that page says...
"Intermediate certificates are considered to be technically constrained,
and do not need to be added to the CA Community in Salesforce if:
- The intermediate certificate has the Extended Key Usage (EKU)
extension and the EKU does not include any of these KeyPurposeIds:
anyExtendedKeyUsage, id-kp-serverAuth;
- The intermediate certificate includes the Name Constraints extension
as described in section 7.1.5 of the CA/Browser Forum's Baseline
Requirements; or
- The root certificate is not enabled with the Websites trust bit."
There's an "or" between the 2nd and 3rd bullets, but it's not clear
whether or not there's an implied "and" between the 1st and 2nd bullets.
The Policy's definition of "technically constrained" would suggest that
there is an implied "and". However, I'm not sure that that's your intent.
What's the actual disclosure requirement for intermediate certificates
that don't meet the Policy's definition of "technically constrained"?
a) MUST disclose to Salesforce?
or
b) MUST disclose to a place of the CA's choosing.
?
Thanks.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy