During a 2.6 policy discussion [1], we agreed to add the following language to section 5.3 "Intermediate Certificates":
> Intermediate certificates created after January 1, 2019: > > > * MUST contain an EKU extension; and, > * MUST NOT include the anyExtendedKeyUsage KeyPurposeId; and, > * MUST NOT include both the id-kp-serverAuth and id-kp-emailProtection > KeyPurposeIds in the same certificate. > It has been pointed out to me that the very next paragraph of section 5.3 states: These requirements include all cross-certified certificates which chain to > a certificate that is included in Mozilla’s CA Certificate Program. > The term "cross-certified certificates" could refer to the actual cross-certificate, or it could refer to intermediate certificates that chain up to the cross certificate. In the case of a root that is being cross-certified, the former interpretation effectively means that distinct cross-certificates would be required for serverAuth and emailProtection, as follows: 1 - Root <-- Cross-certificate (EKU=emailProtection) <-- Intermediate certificate (EKU=emailProtection) <-- leaf certificate (S/MIME) 2 - Root <-- Cross-certificate (EKU=serverAuth) <-- Intermediate certificate (EKU=serverAuth) <-- leaf certificate (SSL/TLS) Should our policy require cross-certificates to be constrained to either serverAuth or emailProtection via EKU, or should this requirement only apply to [all other] intermediate certificates? What is the correct interpretation of section 5.3 of the policy as currently written? I would appreciate everyone's input on these questions. - Wayne [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/QIweY3cHRyA/vbtnfJ4zCAAJ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
