Hi Dimitris.  I don't see where you're getting "in order to get an EV audit" 
from.  The proposed language deals with whether or not a CA has got all of the 
audits that Mozilla deems necessary, not with whether or not a CA may obtain 
new audits.

________________________________
From: Dimitris Zacharopoulos <ji...@it.auth.gr>
Sent: 16 October 2020 12:48
To: Rob Stradling <r...@sectigo.com>; Ben Wilson <bwil...@mozilla.com>; 
mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy 
Constraints


CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.


Rob,

This looks like a chicken-egg problem. A RootCA that wants to enable EV needs 
to get an EV audit. The proposed language, if I am not misunderstanding 
something, says that in order to get an EV audit, it must be... "EV-enabled"?

Dimitris.

On 2020-10-16 2:33 μ.μ., Rob Stradling wrote:
Hi Ben.  I agree with Dimitris that the proposed language is a bit confusing.

> "(i.e. a subordinate CA under an EV-enabled root that contains no EKU or the 
> id-kp-serverAuth EKU or anyExtendedKeyUsage EKU, and a certificatePolicies 
> extension that asserts the CABF EV OID of 2.23.140.1.1, the anyPolicy OID, or 
> the CA's EV policy OID)."

It's not clear from that sentence if "...that contains no EKU or the 
id-kp-serverAuth EKU or anyExtendedKeyUsage EKU" is meant to apply to "a 
subordinate CA" or "an EV-enabled root".  For clarity, I suggest converting 
this sentence into a bulleted list; and to avoid repeating that bulleted list 
unnecessarily, I suggest putting it into a new section 3.1.2.3, which sections 
3.1.2.1 and 3.1.2.2 would then reference.

I've had a go at drafting a PR here: 
https://github.com/robstradling/pkipolicy/pull/1<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frobstradling%2Fpkipolicy%2Fpull%2F1&data=04%7C01%7Crob%40sectigo.com%7C267f980cdb1d4264989708d871c976a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637384457389648046%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7kZEIqg9yhYyzf1HGTq979OACtnaUyy4CtGLwXcvuAE%3D&reserved=0>

________________________________
From: dev-security-policy 
<dev-security-policy-boun...@lists.mozilla.org><mailto:dev-security-policy-boun...@lists.mozilla.org>
 on behalf of Dimitris Zacharopoulos via dev-security-policy 
<dev-security-policy@lists.mozilla.org><mailto:dev-security-policy@lists.mozilla.org>
Sent: 16 October 2020 12:31
To: Ben Wilson <bwil...@mozilla.com><mailto:bwil...@mozilla.com>; 
mozilla-dev-security-policy 
<mozilla-dev-security-pol...@lists.mozilla.org><mailto:mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy 
Constraints

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.


On 2020-10-15 11:36 μ.μ., Ben Wilson via dev-security-policy wrote:
>   This issue is presented for resolution in the next version of the Mozilla
> Root Store Policy. It is related to Issue #147
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F147&amp;data=04%7C01%7Crob%40sectigo.com%7Ca230422a644142b9d71a08d871c70667%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637384446910767139%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=SWvjOTEj6vaGRVCDZS%2FMMEPFCrsDfvpwli6lfKkzCHc%3D&amp;reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F147&data=04%7C01%7Crob%40sectigo.com%7C267f980cdb1d4264989708d871c976a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637384457389653038%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=GErhYhRKrMJFWwPpsbjgQx0GNYbHO6PNehEhnbGtBJ4%3D&reserved=0>>
>  (previously posted for
> discussion on this list on 6-Oct-2020).
>
> Possible language is presented here:
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fpkipolicy%2Fcommit%2Fc1acc76ad9f05038dc82281532fb215d71d537d4&amp;data=04%7C01%7Crob%40sectigo.com%7Ca230422a644142b9d71a08d871c70667%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637384446910767139%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=s4Nf4ViQnw8W2ckrofP%2BGYFeF5P4UHUWGfyEo8lEv4M%3D&amp;reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fpkipolicy%2Fcommit%2Fc1acc76ad9f05038dc82281532fb215d71d537d4&data=04%7C01%7Crob%40sectigo.com%7C267f980cdb1d4264989708d871c976a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637384457389658028%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dUiZ8pfleIi9af8yuG%2FX5bagzx9qTAy3Fcb%2BK1RdPgA%3D&reserved=0>
>
> In addition to replacing "if issuing EV certificates" with "if capable of
> issuing EV certificates" in two places -- for WebTrust and ETSI audits --
> it would be followed by "(i.e. a subordinate CA under an EV-enabled root
> that contains no EKU or the id-kp-serverAuth EKU or anyExtendedKeyUsage
> EKU, and a certificatePolicies extension that asserts the CABF EV OID of
> 2.23.140.1.1, the anyPolicy OID, or the CA's EV policy OID)." Thus, Mozilla
> considers that a CA is capable of issuing EV certificates if it is (1) a
> subordinate CA (2) under an EV-enabled root (3) that contains no EKU or the
> id-kp-serverAuth EKU or anyExtendedKeyUsage EKU, and (4) a
> certificatePolicies extension that asserts the CABF EV OID of 2.23.140.1.1,
> the anyPolicy OID, or the CA's EV policy OID.
>
> I look forward to your suggestions.

Hello Ben,

I am trying to understand the expectations from Mozilla:

- If a CA that has an EV-capable RootCA , uses a subCA Certificate that
contains the id-kp-serverAuth EKU and the anyPolicy OID that does not
issue EV end-entity Certificates, is this considered a policy violation
if this subCA is not explicitly included in an EV audit scope (ETSI or
WebTrust)?

- If a subCA Certificate that contains the id-kp-serverAuth EKU and the
anyPolicy OID was not covered by an EV-scope audit (because it did not
issue EV Certificates) and it later decides to update the profile and
policies/practices to comply with the EV Guidelines for everything
related to end-entity certificates in order to start issuing EV
Certificates and is later added to an EV-scope audit, is that an allowed
practice? Judging from the current EV Guidelines I didn't see anything
forbidding this practice. In fact this is supported via section 17.4.

The proposed language is a bit confusing so hopefully by getting
Mozilla's position on the above two questions, we can propose some
improvements.


Best regards,
Dimitris.


>
> Thanks,
>
> Ben
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy&amp;data=04%7C01%7Crob%40sectigo.com%7Ca230422a644142b9d71a08d871c70667%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637384446910772135%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=Ofpen2baqYtT4B7HgetKK%2Biq7SEy%2F%2Bq4x3lcI7OKgwU%3D&amp;reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy&data=04%7C01%7Crob%40sectigo.com%7C267f980cdb1d4264989708d871c976a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637384457389663020%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7ULtrrbqWYSQxg27h2MCb3%2BDUG9kAB1A1O2aPGVRebU%3D&reserved=0>

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy&amp;data=04%7C01%7Crob%40sectigo.com%7Ca230422a644142b9d71a08d871c70667%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637384446910772135%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=Ofpen2baqYtT4B7HgetKK%2Biq7SEy%2F%2Bq4x3lcI7OKgwU%3D&amp;reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy&data=04%7C01%7Crob%40sectigo.com%7C267f980cdb1d4264989708d871c976a5%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637384457389668012%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YwZdkQxyJSB7ErKKagTtoYKDzumwC2Fd%2FvOCcLaR3tY%3D&reserved=0>

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to