Looks like I made a copy-and-paste error for item 3, so correcting here: Therefore, I think that first paragraph should be changed to: All certificates that are capable of being used to issue working server or email certificates and that directly or transitively chain to a CA certificate included in Mozilla’s CA Certificate Program MUST be operated in accordance with this policy and MUST be publicly disclosed in the CCADB.
On Monday, November 15, 2021 at 11:40:58 AM UTC-8 Kathleen Wilson wrote: > I feel like this item needs to be further discussed... > > 1) section 1.1 of Mozilla's Root Store Policy (MRSP) > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#11-scope> > > limits the scope of the policy to "intermediate certificates which are > technically capable of issuing working server or email certificates". So my > understanding is that the proposed changes would mean that all intermediate > certificates which are technically capable of issuing working server or > email certificates must be disclosed in the CCADB, even if they are name > constrained. And the proposed changes would NOT mean that intermediate > certificates would need to be disclosed in the CCADB when they contain an > Extended Key Usage (EKU) extension which does not contain any of these > KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth, > id-kp-emailProtection. > Correct? > > 2) Just wondering... How do you all think that requiring disclosure of > technically-constrained intermediate certs in the CCADB improves security > for end-users? > > > >> I have made an attempt to address this further with some commits in my >> GitHub repository: >> >> >> https://github.com/mozilla/pkipolicy/compare/1829373903c8d58246c781ee11ea77d6d386985a... >> e6550dba22ed38ac6bdd33677a8bf3d2f00e75de >> >> > 3) regarding the proposed change in the first paragraph of section 5.3 from > "Certificate Program MUST be operated in accordance with this policy and > MUST either be technically constrained or be publicly disclosed and > audited." > to > "Certificate Program MUST be operated in accordance with this policy and > MUST either be technically constrained or be audited." > > My interpretation of the original sentence was: "MUST either be > technically constrained or (be publicly disclosed and audited)." > meaning that 3rd-party audit statements would have to be provided. > I do NOT interpret it as meaning that technically-constrained intermediate > certificates do not have to be audited at all. The BRs provide specific > requirements for the oversight of technically-constrained intermediate > certificates that I view as the minimum oversight that should be done for > such intermediate certificates. > > Therefore, I think that first paragraph should be changed to: > All certificates that are capable of being used to issue new certificates > which are technically capable of issuing working server or email > certificates and that directly or transitively chain to a CA certificate > included in Mozilla’s CA Certificate Program MUST be operated in accordance > with this policy and MUST be publicly disclosed in the CCADB. > > > 4) Regarding these changes: > > Move the 4th paragraph in MRSP § 5.3 to the first paragraph of § 5.3.2. > > Move content from the second bullet in MRSP § 5.3.2 to the first > paragraph and eliminate the bulleted list. > > I think the new text of section 5.3.2 looks OK, except > > 4.a) Move this to its own paragraph: > Name Constrained CA certificates that were exempt from disclosure in > previous versions of this policy MUST be disclosed in the CCADB prior to > July 1, 2022. > > 4.b) We CANNOT delete the sentence, "All disclosure MUST be made freely > available..." > We must keep that text, especially for audit statements. So keep this text > as a separate paragraph: > > All disclosure MUST be made freely available and without additional > requirements, including, but not limited to, registration, legal > agreements, or restrictions on redistribution of the certificates in whole > or in part. > > Thanks, > Kathleen > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d927b4bc-19be-4ec4-94a5-d7582fbc2890n%40mozilla.org.
