On Thu, Apr 13, 2017 at 10:48 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > > Section 3.1.2.1 specifies that any CA capable of issuing secure email > > certificates must have a "WebTrust for CAs" audit (or corresponding > > ETSI audit). This is a huge change from 3.2 and I wonder if all CAs > > understand this. Even the Blog about this version does not highlight > > this substantial change: > > https://blog.mozilla.org/security/2017/04/04/mozilla- > releases-version-2-4-ca-certificate-policy/ > > I didn't realise it _was_ a substantial change. Are you saying that you > used to think it was fine for email-only sub-CAs to have no audits at > all? Is this because you considered all such CAs to be TCSCs (by the > Mozilla definition)? > > Even if we didn't require it in our policy, I'm very surprised that > no-one else does. Which other root store policies have requirements on > email-only sub-CAs? > https://social.technet.microsoft.com/wiki/contents/articles/31635.microsoft-trusted-root-certificate-program-audit-requirements.aspx (aka http://aka.ms/auditreqs) S/MIME trust bit requires either "WebTrust Principles and Criteria for Certification Authorities - WebTrust for CAs 2.0" or the combination of the following: "WebTrust Principles and Criteria for Certification Authorities - WebTrust for CAs 2.0" "ETSI TS 102 042 V2.4.1 or later (LCP, NCP, NCP+ policies) - Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates" and "ETSI TS 101 456 V1.4.3 or later - Electronic Signatures and Infrastructure (ESI); Policy requirements for certification authorities issuing qualified certificates" > > > Obviously there are a lot of technically constrained CAs issued to > > organizations to run their own CAs for issuing secure email and > > client auth certificates. In order for them to continue operations > > they now every organization needs to be publicly reported and audited > > (a new requirement for 2.4.1 as far as I can tell), is that right? > > This is issue #36 :-) > https://github.com/mozilla/pkipolicy/issues/36 > > Do the CAs you are thinking of in this category have name constraints, > or not (either actually in the cert, or via business controls)? > > > When did (does) this take effect? Is this for new CAs, existing or > > both? When would the Audit Period for these CAs need to begin? > > > > This is a side question, but does the Mozilla policy require that > > these CAs meet the Network Security Requirements? > > https://github.com/mozilla/pkipolicy/issues/70 :-) Not at the moment. > > > Section 5.3.2 says that all CAs of the type I'm discussing must be in > > the CCADB. What's the timeline for CAs to upload them? > > Well, let's figure out what the right thing to do is first. If it turns > out we've created new normative requirements accidentally, the first > thing to do is to decide whether that's what we meant. Only then will we > set some sort of sane implementation timeline. > > Gerv > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy