On 6/10/2020 11:38 μ.μ., Ben Wilson via dev-security-policy wrote:
#147 <https://github.com/mozilla/pkipolicy/issues/147> - Require EV audits
for certificates capable of issuing EV certificates – Clarify that EV
audits are required for all intermediate certificates that are technically
capable of issuing EV certificates, even when not currently issuing EV
certificates.
This issue is presented for resolution in the next version of the Mozilla
Root Store Policy.
Suggested language is presented here:
https://github.com/BenWilson-Mozilla/pkipolicy/commit/a83eca6d7d8bf2a3b30529775cb55b0c8a5f982b
The proposal is to replace "if issuing EV certificates" with "if capable of
issuing EV certificates" in two places -- for WebTrust and ETSI audits.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Judging from the earlier discussion that took place in September 2020, I
understand that some CAs have an EV-enabled hierarchy (meaning that the
Root CA is in scope of the EV Guidelines and is included in an audit
with "EV scope"), has issued some Intermediate CAs that issue EV
Certificates and are included in the audit with "EV scope", and some
Intermediate CAs that have never issued EV Certificates, nor are they
intended to issue EV Certificates and were not listed in the "EV scope"
of the audit.
I realize that this policy change, will require Intermediate CAs that
have never issued nor intend to issue EV Certificates, to be included in
an EV scope audit with the sole purpose of asserting that no TLS
Certificates have been issued in scope of the EV Guidelines, which
translates into making sure that no end-entity certificate has been
issued asserting the EV policy OID in the certificatePolicies extension.
Is that a fair statement?
Is there going to be an effective date after which Intermediate CA
Certificates which were not intended to issue EV Certificates, will be
required to have an EV audit?
Assuming my previous statement is fair, would it suffice for an auditor
to examine the corpus of non-expired/non-revoked Certificates off of
these "non-EV" Issuing CAs to ensure that no end-entity certificate has
been issued asserting the EV policy OID according to the CA's CP/CPS?
Finally, I would like to highlight that policy OID chaining is not
currently supported in the webPKI by Browsers, so even if a CA adds a
particular non-EV policyOID in an Intermediate CA Certificate, this
SubCA would still be technically capable of issuing an end-entity
certificate asserting an EV policy OID, and that certificate would
probably get EV treatment from existing browsers. Is this correct?
Thank you,
Dimitris.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
