On 07/10/2019 17:35, Ryan Sleevi wrote: > On Mon, Oct 7, 2019 at 11:26 AM Jakob Bohm via dev-security-policy < > email@example.com> wrote: > >> On 07/10/2019 16:52, Ryan Sleevi wrote: >>> I'm curious how folks feel about the following practice: >>> >>> Imagine a CA, "Foo", that creates a new Root Certificate ("Root 1"). They >>> create this Root Certificate after the effective date of the Baseline >>> Requirements, but prior to Root Programs consistently requiring >> compliance >>> with the Baseline Requirements (i.e. between 2012 and 2014). This Root >>> Certificate does not comply with the BRs' rules on Subject: namely, it >>> omits the Country field. >> >> Clarification needed: Does it omit Country from the DN of the root 1 >> itself, from the DN of intermediary CA certs and/or from the DN of End >> Entity certs? >> > > It's as I stated: The Subject of the Root Certificate omits the Country > field.
You were unclear if Root 1 omitted the C element from it's own name (a BR requirement for new roots), or from various aspects of the issuance from root 1 (also BR requirements). It is now clear that the potential BR violation is only in the DN of Root 1 itself, and for the purpose of this hypothetical, we can assume that all other aspects of Root 1 operation are BR compliant. > > >>> >>> Later, in 2019, Foo takes their existing Root Certificate ("Root 2"), >>> included within Mozilla products, and cross-signs the Subject. This now >>> creates a cross-signed certificate, "Root 1 signed-by Root 2", which has >> a >>> Subject field that does not comport with the Baseline Requirements. >> >> Nit: Signs the Subject => Signs Root 1 >> > > Perhaps it would be helpful if you were clearer about what you believe you > were correcting. > An minor typo (nit) in your original post. You wrote -"signs the Subject" instead of -"signs Root 1". > I thought I was very precise here, so it's useful to understand your > confusion: > > Root 2, a root included in Mozilla products, cross-signs Root 1, a root > which omits the Country field from the Subject. > > This creates a certificate, whose issuer is Root 2 (a Root included in > Mozilla Products), and whose Subject is Root 1. The Subject of Root 1 does > not meet the BRs requirements on Subjects for intermediate/root > certificates: namely, the certificate issued by Root 2 omits the C, because > Root 1 omits the C. > This is now clear after the clarification that C was only omitted in the DN of Root 1 itself. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy