On Wed, Aug 4, 2021 at 11:37 AM Buschart, Rufus <[email protected]> wrote:
> Thank you for clarification! But you would support the overall insight: > currently it is not clear from the BRGs or the Mozilla Root Store Policy if > this is a misissuance or not and we should clarify it? > Yes, this is something that has come up in the CA/Browser Forum before, although I don't have the links readily handy. Broadly, the discussion about what a CA can use their private key for also directly relates to the question about "what is an acceptable certificate to sign". Your question here, regarding an NC-violating EE certificate, is a subset of the broader problem of a "certificate which does not validate". I provided an example of a different manifestation of this problem, which was admirably handled, but it still remains broad. The work of Certificate Profiles in the Validation Subcommitee, in part, is my attempt to formally tackle this. While I would love to be more ambitious in the initial scope, it's clear that CA members are not quite there yet, hence the multi-phase approach. My hope and goal is to ensure that the BRs are unambiguous regarding the expectations for compliance with RFC 5280, which, although this is already an _existing_ requirement, is not fully understood through its practical implications. I don't believe this is something easily tackled with policy, if only because I believe the root cause is one that begins at a technical level with data being signed, and flows from there, which is why I've been focusing my time in this space. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHGEtfTiKezZGpjOnqYmkz3VhcUk%2BKFm2CEeSETOxPFmpg%40mail.gmail.com.
