On 21/06/17 13:13, Doug Beattie wrote: >> Do they have audits of any sort? > > There had not been any audit requirements for EKU technically > constrained CAs, so no, there are no audits.
In your view, having an EKU limiting the intermediate to just SSL or to just email makes it a technically constrained CA, and therefore not subject to audit under any root program? I ask because Microsoft's policy at http://aka.ms/auditreqs says: "Microsoft requires that every CA submit evidence of a Qualifying Audit on an annual basis for the CA and any non-limited root within its PKI chain." In your view, are these two intermediates, which are constrained only by having the email and client auth EKUs, "limited" or "non-limited"? >>> The other customer complies the prior words in the Mozilla policy >> regarding "Business Controls". By implication, and reading your previous emails, are you saying that the first customer does not comply with those words? > That is correct. Enforcement is via contractual/business controls which is > compliant with the current policy, as vague and weak as that is (and you've > previously acknowledged). Moving from this level of control to being audited > or having name constraints will take more time that just a couple of months. Leaving aside the requirements of other root programs, I agree this arrangement with the second customer is compliant with our current policy. For the new policy, they have 3 options: a) get an audit, b) use a name-constrained intermediate, or c) move to a hosted service which limits them to an approved set of domains. Consistent with the principles outlined for Symantec regarding business continuity, the fact that GlobalSign does not have the capability to provide c) should not be a factor in us determining how long we should allow this particular situation to continue. It's worth noting that if we had discovered this situation for SSL - that an unconstrained intermediate or uncontrolled power of issuance had been given to a company with no audit - we would be requiring the intermediate be revoked today, and probably taking further action as well. > Two further points: > 1) It’s not clear of email applications work with name constrained CAs. Some > have reported email applications do not work, however, I have not tested this > case. That sounds like something you might want to investigate as a matter of urgency :-) > Both of the customers are large US based companies with contractual > obligations to only issue secure email certificates to domains which they own > and control so I hope we can come to an agreement on the phased plan. The size or geographic location of a company is not necessarily correlated to their competence in handling unconstrained (for email) intermediate CAs correctly. Our default assumption must be that, without audit, they don't know how to handle it properly. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
