Hi Ben, Hi all, sorry for the late reply. Thanks to your summary yesterday, I re-checked all the open issues and stumbled upon one question with regard to this issue that didn't came to my mind earlier.
I am not sure if I am understanding correctly the desired outcome of this change. Forgive me if I am overlooking something to obvious at the moment. Main parts of the EV requirements and hence of an EV audit are about the issuance and certificate profile of end-entity certificates. Let's say we have an EV-enabled Root CA "A" and a Sub-CA "B", which is only used to issue DV certificates, but which is not properly constrained and hence would be EV capable. Now, if I would perform an EV audit on Sub-CA "B", then of course all issued end entity certificate would fail to meet the EV requirements on end-entity certificates (obviously, because they are DV certificates...). As a result, such Sub-CA would be non-conformant with regard to EV requirements and not pass the audit. So is the intent to not allow such Sub-CA's, because they can't pass the necessary audit? Or is the intent only, that the Sub-CA certificate for "B" must meet all EV requirements on Sub-CA certificates? Or did you have a scenario in mind, where a Sub-CA "C" has been used to issue EV certificates, is than (temporarily) taken out of service and sometime later activated again. Now someone could (bot of course shoulndn't) argue that "C" has not been issuing EV certs and hence no EV audits were necessary for that period. Best regards Matthias > -----Ursprüngliche Nachricht----- > Von: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> Im > Auftrag von Ben Wilson via dev-security-policy > Gesendet: Dienstag, 6. Oktober 2020 22:38 > An: mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org> > Betreff: MRSP Issue #147 - Require EV audits for certificates capable of > issuing > EV certificates > > #147 <https://github.com/mozilla/pkipolicy/issues/147> - Require EV audits > for > certificates capable of issuing EV certificates – Clarify that EV audits are > required > for all intermediate certificates that are technically capable of issuing EV > certificates, even when not currently issuing EV certificates. > > This issue is presented for resolution in the next version of the Mozilla > Root Store > Policy. > > Suggested language is presented here: > https://github.com/BenWilson- > Mozilla/pkipolicy/commit/a83eca6d7d8bf2a3b30529775cb55b0c8a5f982b > > > The proposal is to replace "if issuing EV certificates" with "if capable of > issuing > EV certificates" in two places -- for WebTrust and ETSI audits. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy ______________________________________________________________________________________________________________________ Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Langemarckstr. 20 * 45141 Essen, Germany Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251 Geschäftsführung/Management Board: Dirk Kretzschmar TÜV NORD GROUP Expertise for your Success Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com> Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<http://www.tuev-nord.de> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy