Kathleen Wilson於 2017年2月3日星期五 UTC+8上午6時36分54秒寫道:
> On Tuesday, December 13, 2016 at 2:36:15 PM UTC-8, Kathleen Wilson wrote:
> > Thanks to all of you who have reviewed and commented on this request from 
> > Government of Taiwan, Government Root Certification Authority (GRCA), to 
> > include their renewed Government Root Certification Authority root 
> > certificate, and turn on the Websites and Email trust bits.
> > 
> > To summarize this discussion so far, two primary concerns have been raised, 
> > as follows.
> > 
> > 1) There are several intermediate certificates that are technically capable 
> > of issuing TLS certificates, but have not been audited according to the 
> > BRs. This is a show-stopper.
> > 
> > Reference:
> > https://wiki.mozilla.org/CA:BaselineRequirements#Whole-Population_Audit_of_Intermediate_Certs
> > “BR Audits must always include the whole-population audit of intermediate 
> > certificates that are capable of issuing SSL certs.”
> > 
> > This means that if the intermediate certificate is not technically 
> > constrained via EKU (and name constraints) then it must be audited 
> > according to the BRs. 
> > 
> > We have resolved this particular situation in the past by having the CA get 
> > an audit statement saying that the intermediate certificate has not issued 
> > TLS certificates during the audit period. And requiring that the CA get 
> > such an audit statement annually.
> > 
> 
> The CA has been working with their auditor to get an appropriate audit 
> statement that covers all of the intermediate certs chaining up to this root.
> 

In accordance with Kathleen's advice, our auditor has provided such a audit 
statement.(https://bug1065896.bmoattachments.org/attachment.cgi?id=8835815)

> > 
> > 2) The new root certificate has the same exact full distinguished name as 
> > the old root certificate. I think this is OK.
> > 
> > The CA tested this with Firefox, and provided their test results:
> > https://bugzilla.mozilla.org/attachment.cgi?id=8818360
> >
> 
> The new root cert having the same DN as the old root cert appears to work
> from a technical standpoint (i.e. mozilla::pkix will find the right path if 
> all necessary certificates are present). However, the duplicate names have 
> already caused unnecessary confusion: 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1304264
> 
> This "new" root certificate was created in 2012, is included in Microsoft's 
> program, and has several active intermediate certs. So it might not be 
> reasonable to ask the CA to generate a new root certificate at this point in 
> time. However, I urge the CA to take note, and not repeat this with the next 
> generation of their root certificate.
> 
> Kathleen

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to