On 21/06/17 16:58, Doug Beattie wrote: >> It's worth noting that if we had discovered this situation for SSL - that an >> unconstrained intermediate or uncontrolled power of issuance had been >> given to a company with no audit - we would be requiring the intermediate >> be revoked today, and probably taking further action as well. > > Agree
After consultation, I have decided to implement this requirement with a phase-in period of six months, for already-existing intermediates. So before 15th January 2018 (add a bit because of Christmas) these customers, and any others like them at any other CA, need to have audits (over at least 30 days of operations), move to a name-constrained intermediate, or move to a managed service which does domain ownership validation on each domain added to the system. I expect these two intermediates to be revoked on or before 15th January 2018. I realise this is not what you were hoping for, but it's not reasonable to leave unconstrained intermediates in the hands of those not qualified to hold them for a further 2 years. I am allowing six months because, despite the weakness of the previous controls, you were in compliance with them and so it's not reasonable to ask for a super-quick move. https://github.com/mozilla/pkipolicy/commit/44ae763f24d6509bb2311d33950108ec5ec87082 (ignore the erroneously-added logfile). > Are there any other CAs or mail vendors that have tested name constrained > issuing CAs? If using name constrained CAs don’t work with some or all of the > mail applications, it seems like we might as well recommend a change to the > requirement. I am open to hearing further evidence on this point. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy