On Friday, November 19, 2021 at 9:56:46 AM UTC-8 Ben Wilson wrote: > All, > I came across this section in the wiki that will need to be replaced - > https://wiki.mozilla.org/CA/Subordinate_CA_Checklist#Non-disclosable_Intermediate_Certificates. > > > Are there any convincing reasons for keeping the current policy of > non-disclosure? > Thanks, > Ben > Hi Ben,
In reading https://wiki.mozilla.org/CA/Subordinate_CA_Checklist#Non- disclosable_Intermediate_Certificate <https://wiki.mozilla.org/CA/Subordinate_CA_Checklist#Non-disclosable_Intermediate_Certificates>s I see: "Such TCSCAs are technically limited from the issuance of TLS/SSL certificates..." and "For example, if these subCAs are not used for the production of TLS/SSL certificates, but only identity certificates, then you can make use of the Extended Key Usage extension on the sub-CA to ensure it is present, and that it *lacks* the id-kp-serverAuth and anyExtendedKeyUsage extensions." So I believe that this wiki page section is still very applicable and should be kept. However the second paragraph does need to be updated to match section 1.1 of MRSP and this current discussion regarding updating the disclosure requirements for intermediate certificates. I propose the following text to replace the current second paragraph in this wiki page section: All certificates that are capable of being used to issue working server or email certificates and that directly or transitively chain to a CA certificate included in Mozilla’s CA Certificate Program MUST be operated in accordance with Mozilla's Root Store Policy and MUST be publicly disclosed in the CCADB. Subordinate CA certificates that do NOT have an Extended Key Usage (EKU) extension which contains any of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth, id-kp-emailProtection are technically limited from the issuance of TLS/SSL and S/MIME certificates, so they are allowed to be operated without full public disclosure of their CP, CPS, and audit documentation <https://www.ccadb.org/cas/intermediates>. Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/4614e581-abb6-475b-a0b2-b40754699175n%40mozilla.org.
