On 6/10/2020 11:38 μ.μ., Ben Wilson via dev-security-policy wrote:
  #147 <https://github.com/mozilla/pkipolicy/issues/147> - Require EV audits
for certificates capable of issuing EV certificates – Clarify that EV
audits are required for all intermediate certificates that are technically
capable of issuing EV certificates, even when not currently issuing EV
certificates.

This issue is presented for resolution in the next version of the Mozilla
Root Store Policy.

Suggested language is presented here:
https://github.com/BenWilson-Mozilla/pkipolicy/commit/a83eca6d7d8bf2a3b30529775cb55b0c8a5f982b


The proposal is to replace "if issuing EV certificates" with "if capable of
issuing EV certificates" in two places -- for WebTrust and ETSI audits.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Judging from the earlier discussion that took place in September 2020, I understand that some CAs have an EV-enabled hierarchy (meaning that the Root CA is in scope of the EV Guidelines and is included in an audit with "EV scope"), has issued some Intermediate CAs that issue EV Certificates and are included in the audit with "EV scope", and some Intermediate CAs that have never issued EV Certificates, nor are they intended to issue EV Certificates and were not listed in the "EV scope" of the audit.

I realize that this policy change, will require Intermediate CAs that have never issued nor intend to issue EV Certificates, to be included in an EV scope audit with the sole purpose of asserting that no TLS Certificates have been issued in scope of the EV Guidelines, which translates into making sure that no end-entity certificate has been issued asserting the EV policy OID in the certificatePolicies extension. Is that a fair statement?

Is there going to be an effective date after which Intermediate CA Certificates which were not intended to issue EV Certificates, will be required to have an EV audit?

Assuming my previous statement is fair, would it suffice for an auditor to examine the corpus of non-expired/non-revoked Certificates off of these "non-EV" Issuing CAs to ensure that no end-entity certificate has been issued asserting the EV policy OID according to the CA's CP/CPS?

Finally, I would like to highlight that policy OID chaining is not currently supported in the webPKI by Browsers, so even if a CA adds a particular non-EV policyOID in an Intermediate CA Certificate, this SubCA would still be technically capable of issuing an end-entity certificate asserting an EV policy OID, and that certificate would probably get EV treatment from existing browsers. Is this correct?


Thank you,
Dimitris.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to