Section 5.3 of Mozilla policy states: All certificates that are capable of being used to issue new certificates, > and which directly or transitively chain to a certificate included in > Mozilla’s CA Certificate Program, MUST be operated in accordance with this > policy and MUST either be technically constrained or be publicly disclosed > and audited. >
This could be interpreted as exempting technically constrained subordinate CA certificates from the self-audit requirements in BR section 8.1, or even from any BR compliance requirement. Since the original discussion of this issue [1] back in 2016, we have updated the scope of our policy to clearly include technically constrained certificates, and thus the requirement for BR conformance in section 2.3 does apply to these certificates. I believe that our current policy already resolves this issue. I propose that we further clarify the requirements for technically constrained certificates by adding a second sentence to the second paragraph of section 5.3.1 of the Mozilla policy as follows: If the certificate includes the id-kp-serverAuth extended key usage, then > the certificate MUST be Name Constrained as described in section 7.1.5 of > version 1.3 or later of the Baseline Requirements. The Baseline > Requirements Conformance policy, as defined in section 2.3, applies to > technically constrained subordinate CA certificates. > I would appreciate everyone's input on this topic. This is: https://github.com/mozilla/pkipolicy/issues/36 [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/ZMUjQ6xHrDA/ySofsF_PAgAJ ------- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
