Hearing no objections, I have made the proposed clarification in the version 2.6 branch: https://github.com/mozilla/pkipolicy/commit/def9c711163e0cae6a19866fb551e915e3bcef12 - Wayne
On Tue, Apr 17, 2018 at 11:20 AM, Wayne Thayer <[email protected]> wrote: > Section 5.3 of Mozilla policy states: > > All certificates that are capable of being used to issue new certificates, >> and which directly or transitively chain to a certificate included in >> Mozilla’s CA Certificate Program, MUST be operated in accordance with this >> policy and MUST either be technically constrained or be publicly disclosed >> and audited. >> > > This could be interpreted as exempting technically constrained subordinate > CA certificates from the self-audit requirements in BR section 8.1, or even > from any BR compliance requirement. Since the original discussion of this > issue [1] back in 2016, we have updated the scope of our policy to clearly > include technically constrained certificates, and thus the requirement for > BR conformance in section 2.3 does apply to these certificates. I believe > that our current policy already resolves this issue. > > I propose that we further clarify the requirements for technically > constrained certificates by adding a second sentence to the second > paragraph of section 5.3.1 of the Mozilla policy as follows: > > If the certificate includes the id-kp-serverAuth extended key usage, then >> the certificate MUST be Name Constrained as described in section 7.1.5 of >> version 1.3 or later of the Baseline Requirements. The Baseline >> Requirements Conformance policy, as defined in section 2.3, applies to >> technically constrained subordinate CA certificates. >> > > I would appreciate everyone's input on this topic. > > This is: https://github.com/mozilla/pkipolicy/issues/36 > > [1] https://groups.google.com/d/msg/mozilla.dev.security. > policy/ZMUjQ6xHrDA/ySofsF_PAgAJ > ------- > > This is a proposed update to Mozilla's root store policy for version > 2.6. Please keep discussion in this group rather than on GitHub. Silence > is consent. > > Policy 2.5 (current version): > https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
