(Resending as the attached file was too large)

On Fri, May 5, 2017 at 10:46 AM, Peter Bowen <pzbo...@gmail.com> wrote:
> On Thu, Apr 20, 2017 at 3:01 AM, Gervase Markham via
> dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
>> On 15/04/17 17:05, Peter Bowen wrote:
>>> Should the Mozilla policy change to require disclosure of all CA
>>> certificates issued by an unconstrained CA (but not necessarily
>>> require audits, CP/CPS, etc)? This would help identify unintentional
>>> gaps in policy.
>> https://github.com/mozilla/pkipolicy/issues/73
>> I think I understand your point but if you could expand a bit in the
>> bug, that would be most welcome.
> Right now the policy does not require disclosure of CA-certificates
> that the CA deems are technically constrained.  We have seen numerous
> cases where the CA misunderstood the rules or where the rules had
> unintentional gaps an disclosing the certificate as constrained will
> allow discovery of these problems.  For example the current policy
> says "an Extended Key Usage (EKU) extension which does not contain
> either of the id-kp-serverAuth and id-kp-emailProtection EKUs" which
> means a certificate that has EKU extension with only the
> anyExtendedKeyUsage KeyPurposeId fall outside of the scope.  This is
> obviously wrong, but would not be discovered today.
> The flow chart at https://imagebin.ca/v/3LRcaKW9t2Qt shows my proposal for 
> disclosure; it is a
> revised version from the one I posted to the CA/Browser Forum list and
> depends on the same higher level workflow
> (https://cabforum.org/pipermail/public/attachments/20170430/0e692c4d/attachment-0002.png
> ).
> Thanks,
> Peter
dev-security-policy mailing list

Reply via email to