Kathleen pointed out that one of the purposes of this section is to require disclosure of cross-certificates, and my first attempted fix seems to violate that purpose. Here is my second attempt to clarify the language in section 5.3:
https://github.com/mozilla/pkipolicy/commit/43bdf5d6e97cdda0d8b11ee0f602a5282e848874 I would appreciate everyone's comments on this proposed change. If we agree that this achieves the intended effect of requiring separation of intermediate certificates by usage but excluding cross-certificates from this requirement, then I now believe it will be best for me to publish an update of the policy. - Wayne On Tue, Jul 17, 2018 at 10:42 AM Bruce via dev-security-policy < [email protected]> wrote: > On Monday, July 16, 2018 at 7:25:09 PM UTC-4, Wayne Thayer wrote: > > On Fri, Jul 13, 2018 at 3:50 PM Tim Hollebeek via dev-security-policy < > > [email protected]> wrote: > > > > > Yeah, I agree I don’t think it was intended. But now that I am aware > of > > > the issue, I think the crossing workaround per EKU is actually a good > thing > > > for people to be doing. Unless someone can point out why it's bad ... > > > > > > > > > > > I'd like to consider any new restrictions on cross-certificates > separately. > > I've created https://github.com/mozilla/pkipolicy/issues/145 to track > this > > idea, and added that if we go that far we should also think about > > restricting roots to either the Mozilla websites or email trust bit. > > > > Might want to give people a little more time to plan and adapt to that > > > change though since I doubt anyone thought of it and people need > planning > > > runway to change their procedures if it is going to be interpreted > this way. > > > > > > > > > > > It seems that we have agreement that the current change was not intended > to > > apply to cross certificates. I think that is the meaning of the existing > > language, but it would be clearer if the final paragraph of section 5.3 > was > > amended to: > > > > These requirements include all intermediate certificates signed by > > cross-certificates which chain to a certificate that is included in > > Mozilla’s CA Certificate Program. > > > > Questions: > > - does anyone object to that new wording? > > - should the official policy be updated with this change prior to 1-Jan > > when the requirement to separate usages of new intermediate certificates > > goes into effect, or can this wait since it is only a clarification? > > Since this is only a clarification, then I think the change can wait > until the next update of the Mozilla policy. > > Thanks, Bruce. > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
