This intermediate seems technically constrained for SSL and S/MIME certificates, which are the only type of certs under the current Mozilla policy. Having extra nameConstraints for this particular intermediate, seems to be unnecessary, for the Mozilla root program.
DZ. > On 18 Μαΐ 2016, at 17:16, Rob Stradling <rob.stradl...@comodo.com> wrote: > > The following intermediate certificate is not "technically constrained" > according to the Policy. It contains id-kp-codeSigning, but does not > "contain a directoryName permittedSubtrees constraint where each > permittedSubtree contains the organizationName, localityName (where > relevant), stateOrProvinceName (where relevant) and countryName fields of an > address that the issuing CA has confirmed belongs to the subordinate CA." > https://crt.sh/?sha1=4f5ea6a9e4ba30a4575dead4e4e9d3b2da66ea7b > > https://wiki.mozilla.org/CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F > ...says that "All certificates that are capable of being used to issue new > certificates, and which directly or transitively chain to their > certificate(s) included in Mozilla’s CA Certificate Program that are not > technically constrained as described in section 9 of Mozilla's CA Certificate > Inclusion Policy" need to be disclosed. > > That page also says that this includes (emphasis mine) "every intermediate > certificate (chaining up to a root certificate in Mozilla's program with the > Websites trust bit enabled) that is not Technically Constrained via Extended > Key Usage *and* Name Constraint settings." > > So far, ISTM that this intermediate certificate MUST be disclosed to > Salesforce. > > However, then that page says... > "Intermediate certificates are considered to be technically constrained, and > do not need to be added to the CA Community in Salesforce if: > - The intermediate certificate has the Extended Key Usage (EKU) extension and > the EKU does not include any of these KeyPurposeIds: anyExtendedKeyUsage, > id-kp-serverAuth; > - The intermediate certificate includes the Name Constraints extension as > described in section 7.1.5 of the CA/Browser Forum's Baseline Requirements; or > - The root certificate is not enabled with the Websites trust bit." > > There's an "or" between the 2nd and 3rd bullets, but it's not clear whether > or not there's an implied "and" between the 1st and 2nd bullets. > > The Policy's definition of "technically constrained" would suggest that there > is an implied "and". However, I'm not sure that that's your intent. > > What's the actual disclosure requirement for intermediate certificates that > don't meet the Policy's definition of "technically constrained"? > a) MUST disclose to Salesforce? > or > b) MUST disclose to a place of the CA's choosing. > ? > > Thanks. > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
