Having received no comments on this proposal, I plan to go ahead and publish version 2.6.1 of the Mozilla Root Store Policy with the third paragraph of section 5.3 clarified as follows:
Intermediate certificates created after January 1, 2019, with the exception of cross-certificates that share a private key with a corresponding root certificate: * MUST contain an EKU extension; and, * MUST NOT include the anyExtendedKeyUsage KeyPurposeId; and, * MUST NOT include both the id-kp-serverAuth and id-kp-emailProtection KeyPurposeIds in the same certificate. - Wayne On Wed, Jul 18, 2018 at 11:55 AM Wayne Thayer <[email protected]> wrote: > Kathleen pointed out that one of the purposes of this section is to > require disclosure of cross-certificates, and my first attempted fix seems > to violate that purpose. Here is my second attempt to clarify the language > in section 5.3: > > > https://github.com/mozilla/pkipolicy/commit/43bdf5d6e97cdda0d8b11ee0f602a5282e848874 > > I would appreciate everyone's comments on this proposed change. > > If we agree that this achieves the intended effect of requiring separation > of intermediate certificates by usage but excluding cross-certificates from > this requirement, then I now believe it will be best for me to publish an > update of the policy. > > - Wayne > > On Tue, Jul 17, 2018 at 10:42 AM Bruce via dev-security-policy < > [email protected]> wrote: > >> On Monday, July 16, 2018 at 7:25:09 PM UTC-4, Wayne Thayer wrote: >> > On Fri, Jul 13, 2018 at 3:50 PM Tim Hollebeek via dev-security-policy < >> > [email protected]> wrote: >> > >> > > Yeah, I agree I don’t think it was intended. But now that I am aware >> of >> > > the issue, I think the crossing workaround per EKU is actually a good >> thing >> > > for people to be doing. Unless someone can point out why it's bad ... >> > > >> > > >> > > >> > I'd like to consider any new restrictions on cross-certificates >> separately. >> > I've created https://github.com/mozilla/pkipolicy/issues/145 to track >> this >> > idea, and added that if we go that far we should also think about >> > restricting roots to either the Mozilla websites or email trust bit. >> > >> > Might want to give people a little more time to plan and adapt to that >> > > change though since I doubt anyone thought of it and people need >> planning >> > > runway to change their procedures if it is going to be interpreted >> this way. >> > > >> > > >> > > >> > It seems that we have agreement that the current change was not >> intended to >> > apply to cross certificates. I think that is the meaning of the existing >> > language, but it would be clearer if the final paragraph of section 5.3 >> was >> > amended to: >> > >> > These requirements include all intermediate certificates signed by >> > cross-certificates which chain to a certificate that is included in >> > Mozilla’s CA Certificate Program. >> > >> > Questions: >> > - does anyone object to that new wording? >> > - should the official policy be updated with this change prior to 1-Jan >> > when the requirement to separate usages of new intermediate certificates >> > goes into effect, or can this wait since it is only a clarification? >> >> Since this is only a clarification, then I think the change can wait >> until the next update of the Mozilla policy. >> >> Thanks, Bruce. >> >> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
