On 07/02/17 19:15, Jakob Bohm wrote: >> Point 2 does not apply if the certificate is an OCSP signing certificate >> manually issued directly from a root. > > Should be point 1 (on OCSP signing certificate is an EE cert)
Nope, I'm fairly sure I mean point 2. Rules about intermediate certs don't apply when there's no intermediate cert. > 3) Any intermediate between the Mozilla trusted CA root and the issuing > intermidiate: > * Has an appropriate pathlen: constraint consistent with the pathlen to > all its EE issuing lower intermediate certs. > * Is used only for issuing lower intermediate certs, OCSP signing certs > and CRLs. The OCSP signing certs and CRLs being used exclusively for > revocation checking certs issued by the intermediate itself. Please provide rationale for your suggested changes. >> CAs may only sign SHA-1 hashes over intermediate certificates which >> chain up to roots in Mozilla's program if the certificate to be signed >> is a duplicate of an existing SHA-1 intermediate certificate with the >> only changes being all of: >> * a new key (of the same size); > > or larger > >> * a new serial number (of the same length); > > or longer No; identical. The logic is that allowing length changes makes it more possible for someone to construct a collision. > None of the above applies to root certificates voluntarily > withdrawn from the Mozilla root program. This is implied everywhere. > Root certificates previously withdrawn for this purpose are encouraged > to report this fact to Mozilla by ???? and to maintain valid entries in > the CCADB for such roots, all for the benefit of organizations that > maintain or service software that are or interoperate with such older > software. This would be a different matter, and one for the CCADB policy. We would need to have a very good reason for requiring CAs to keep information in the CCADB which did not relate to our root program. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
