Hi Peter, On 11/11/16 01:42, Peter Bowen wrote: > Given that there is a lack of clarity on when the CABF BRs apply, and > that applicability of the BRs is outside the scope of the BRs, I > propose the following text to clarify and help CAs understand the > expectations of operating a publicly trusted CA.
This is helpful, thank you. Is it your proposal that this, or something like it, would be incorporated into Mozilla's root store policy as a "Scope" section or similar name? The following issues with our current policy may be relevant: https://github.com/mozilla/pkipolicy/issues/27 https://github.com/mozilla/pkipolicy/issues/5 > The WebPKI is based on certificate as described in RFC 5280. It is > inspired by ITU-T X.500 series standards but does not always comply > with the X.500 standards. In particular, WebPKI acknowledges and > accepts that the Directory Information Tree does not exist and > therefore focused on properties of subjects rather than their > relationships. I sort of think I know what you mean here, but could you expand this last part? > Therefore Distinguished Names, while being Sequences > of Relative Distinguished Names (RDNs), are treated as an unordered > Set of RDNs and different natural persons or legal entities may have > the same Distinguished Name if the described properties of the persons > or entities are the same. This is true, but is it important enough to be put here? What practical affect does it have to acknowledge this truth? > Definitions: Is this also your take on how best to resolve the issue currently before the CAB Forum about how to use consistent definitions of things like "CA" in the BRs? > Certification Authority (CA) - a logical entity which uses its private > key to sign certificates. Is this too broad? An intermediate certificate might meet this definition. Why do we need this definition if we have CAO and CAKP? > Cross-Certificate - a CA Certificate where the Issuer and Subject > Distinguished Names are not the same I would call this an Intermediate Certificate. A cross certificate is an informal term for a certificate which ties two previously-separated trees of certificates together. > End-entity Certificate - a Compliant Certificate either with no Basic > Constraints extension or with a value of false in the CA component I thought you weren't supposed to do "CA: false" explicitly? > Compliant Certificate - a Certificate as described in RFC 5280 as > updated by RFC 6818 with the following exceptions: > > dNSName type GeneralNames included in a Subject Alternative Name > extension may contain ‘*’ and ‘?’ Is "?" for CT? > Requirements: > > 1) The CA must have exactly one CA private key. One might add for clarity "A CAO operates one or more CAs." > 7) End-entity Certificates must include an Extended Key Usage > extension if one of the following is true: Why is this not required all the time? > 8) If the Extended Key Usage extension in an End-Entity certificate > contains either the id-kp-serverAuth key purpose id or the special > KeyPurposeId anyExtendedKeyUsage, or both, then the CA must follow the > Baseline Requirements for publicly trusted certificates when issuing > the certificate I would leave out anyExtendedKeyUsage - Firefox, at least, doesn't recognise it. > 9) If the Extended Key Usage extension in an End-Entity certificate > contains either the id-kp-codeSigning key purpose id or the special > KeyPurposeId anyExtendedKeyUsage, or both, then the CA must follow the > Minimum Requirements for the Issuance and Management of > Publicly-Trusted Code Signing Certificates when issuing the > certificate Again, if this were a Mozilla document, this would not be necessary. > 10) If the Extended Key Usage extension in an End-Entity certificate > contains either the id-kp-emailProtection key purpose id or the > special KeyPurposeId anyExtendedKeyUsage, or both, then the CA must: > > a) Ensure the End-Entity certificates follows the S/MIME Certificate > Profile: Minimum What is that? > 11) If the Subject Distinguished Name of an End-Entity certificate > contains any attributes of with the type jurisdictionCountryName (OID: > 1.3.6.1.4.1.311.60.2.1.3), then the CAO must validate the details of > the subject according to the Extended Validation Guidelines Why define EV this way, and not any other? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
