Dear MDSP community! I would like to try to summarize the answers on my original question. If you think I misunderstood an answer, please feel free to correct.
We had replies considering my example not a misissuance, as long as the domain validation was performed correctly: Rob: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XsVpyOGlagE/m/FprHuJeHAwAJ Tim: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XsVpyOGlagE/m/A7ItybSJAwAJ Ryan S: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XsVpyOGlagE/m/MIUVYrGZAwAJ Cynthia (I'm not 100% sure I understood your statement correct): https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XsVpyOGlagE/m/d4cbD1ukAwAJ But we also had replies seeing it as a misissuance: Ryan H: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XsVpyOGlagE/m/WkgjfmWIAwAJ Pedro: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XsVpyOGlagE/m/7eqJO37NAgAJ So I think it is obvious, the situation is not clear. How do we go forward? Would it make more sense to propose a clarifying language on this topic for the next Mozilla Root Store Policies update or does someone wants to take this into the CA/B forum? Personally, I would prefer to discuss this in the context of the Mozilla Root Store Policy and later move it to the CA/B forum as I'm not able to participate in the discussions of the Server Cert WG of the CA/B forum. /Rufus > -----Original Message----- > From: [email protected] <[email protected]> On > Behalf Of Buschart, Rufus > Sent: Wednesday, 21 July 2021 17:01 > To: [email protected] > Subject: Your opinion on misissuance under name constrained ICAs > > Dear MDSP community! > > I would like to ask for your opinion in regards to the following scenario: > > Let there be an Issuing CA that is name constrained (acc. BRGs 7.1.5) to the > issuance of certificates only for example.com. Now this Issuing CA issues an > end-entity certificate for example2.com. This certificate would be un- > trusted, but would this be considered a misissuance? And would it make a > difference if the Issuing CA has successfully performed a domain validation > according to the BRGs before issuing the end-entity certificate? > > I couldn't find any rules for this in the BRGs nor a discussion on this > within the > archive of this mailing list. > > > With best regards > > Rufus Buschart > Siemens AG > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgrou > ps.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security- > policy%2FAM8PR10MB430551044C73C395B64451499EE39%2540AM8PR10MB > 4305.EURPRD10.PROD.OUTLOOK.COM&data=04%7C01%7Crufus.buscha > rt%40siemens.com%7C8cfdc07eef1a47a1f7b108d94c585f26%7C38ae3bcd957 > 94fd4addab42e1495d55a%7C1%7C0%7C637624764698315053%7CUnknown% > 7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW > wiLCJXVCI6Mn0%3D%7C1000&sdata=lkkAOmOpsTgfkg3KcIyPgpm4M8c > yzLM76Qh%2BbYk4PZU%3D&reserved=0. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/AM8PR10MB4305C22A6AB846945CD84D7B9EF19%40AM8PR10MB4305.EURPRD10.PROD.OUTLOOK.COM.
