Hi Ben, Hi all,

sorry for the late reply. Thanks to your summary yesterday, I re-checked all 
the open issues and stumbled upon one question with regard to this issue that 
didn't came to my mind earlier.

I am not sure if I am understanding correctly the desired outcome of this 
change. Forgive me if I am overlooking something to obvious at the moment.
Main parts of the EV requirements and hence of an EV audit are about the 
issuance and certificate profile of end-entity certificates.

Let's say we have an EV-enabled Root CA "A" and a Sub-CA "B", which is only 
used to issue DV certificates, but which is not properly constrained and hence 
would be EV capable.

Now, if I would perform an EV audit on Sub-CA "B", then of course all issued 
end entity certificate would fail to meet the EV requirements on end-entity 
certificates (obviously, because they are DV certificates...). As a result, 
such Sub-CA would be non-conformant with regard to EV requirements and not pass 
the audit.
So is the intent to not allow such Sub-CA's, because they can't pass the 
necessary audit?

Or is the intent only, that the Sub-CA certificate for "B" must meet all EV 
requirements on Sub-CA certificates?

Or did you have a scenario in mind, where a Sub-CA "C" has been used to issue 
EV certificates, is than (temporarily) taken out of service and sometime later 
activated again. Now someone could (bot of course shoulndn't) argue that "C" 
has not been issuing EV certs and hence no EV audits were necessary for that 
period.

Best regards
Matthias


> -----Ursprüngliche Nachricht-----
> Von: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> Im
> Auftrag von Ben Wilson via dev-security-policy
> Gesendet: Dienstag, 6. Oktober 2020 22:38
> An: mozilla-dev-security-policy 
> <mozilla-dev-security-pol...@lists.mozilla.org>
> Betreff: MRSP Issue #147 - Require EV audits for certificates capable of 
> issuing
> EV certificates
>
>  #147 <https://github.com/mozilla/pkipolicy/issues/147> - Require EV audits 
> for
> certificates capable of issuing EV certificates – Clarify that EV audits are 
> required
> for all intermediate certificates that are technically capable of issuing EV
> certificates, even when not currently issuing EV certificates.
>
> This issue is presented for resolution in the next version of the Mozilla 
> Root Store
> Policy.
>
> Suggested language is presented here:
> https://github.com/BenWilson-
> Mozilla/pkipolicy/commit/a83eca6d7d8bf2a3b30529775cb55b0c8a5f982b
>
>
> The proposal is to replace "if issuing EV certificates" with "if capable of 
> issuing
> EV certificates" in two places -- for WebTrust and ETSI audits.
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

______________________________________________________________________________________________________________________
Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * 
Langemarckstr. 20 * 45141 Essen, Germany
Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * 
USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251
Geschäftsführung/Management Board: Dirk Kretzschmar


TÜV NORD GROUP
Expertise for your Success


Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com>
Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<http://www.tuev-nord.de>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to