On Tuesday, December 13, 2016 at 2:36:15 PM UTC-8, Kathleen Wilson wrote: > Thanks to all of you who have reviewed and commented on this request from > Government of Taiwan, Government Root Certification Authority (GRCA), to > include their renewed Government Root Certification Authority root > certificate, and turn on the Websites and Email trust bits. > > To summarize this discussion so far, two primary concerns have been raised, > as follows. > > 1) There are several intermediate certificates that are technically capable > of issuing TLS certificates, but have not been audited according to the BRs. > This is a show-stopper. > > Reference: > https://wiki.mozilla.org/CA:BaselineRequirements#Whole-Population_Audit_of_Intermediate_Certs > “BR Audits must always include the whole-population audit of intermediate > certificates that are capable of issuing SSL certs.” > > This means that if the intermediate certificate is not technically > constrained via EKU (and name constraints) then it must be audited according > to the BRs. > > We have resolved this particular situation in the past by having the CA get > an audit statement saying that the intermediate certificate has not issued > TLS certificates during the audit period. And requiring that the CA get such > an audit statement annually. >
The CA has been working with their auditor to get an appropriate audit statement that covers all of the intermediate certs chaining up to this root. > > 2) The new root certificate has the same exact full distinguished name as the > old root certificate. I think this is OK. > > The CA tested this with Firefox, and provided their test results: > https://bugzilla.mozilla.org/attachment.cgi?id=8818360 > The new root cert having the same DN as the old root cert appears to work from a technical standpoint (i.e. mozilla::pkix will find the right path if all necessary certificates are present). However, the duplicate names have already caused unnecessary confusion: https://bugzilla.mozilla.org/show_bug.cgi?id=1304264 This "new" root certificate was created in 2012, is included in Microsoft's program, and has several active intermediate certs. So it might not be reasonable to ask the CA to generate a new root certificate at this point in time. However, I urge the CA to take note, and not repeat this with the next generation of their root certificate. Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy