All, This email introduces discussion of another issue to be resolved by the next version of the Mozilla Root Store Policy (MSRP), version 2.8. (See https://github.com/mozilla/pkipolicy/labels/2.8)
This is Github Issue #226 <https://github.com/mozilla/pkipolicy/issues/226>. Section 5.2 of the MSRP <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#52-forbidden-and-required-practices> lists the following certificate-related errors: "CAs MUST NOT issue certificates that have: - ASN.1 DER encoding errors; - invalid public keys (e.g., RSA certificates with public exponent equal to 1); - duplicate issuer names and serial numbers (except that a Certificate Transparency pre-certificate is allowed to match the corresponding certificate); - incorrect extensions (e.g., SSL certificates that exclude SSL usage, or authority key IDs that include both the key ID and the issuer’s issuer name and serial number); *or* - cRLDistributionPoints or OCSP authorityInfoAccess extensions for which no operational CRL or OCSP service exists." Specifically, this issue arose during a discussion of the fourth bullet - "incorrect extensions" and whether the example was an accurate statement. The examples within the parentheses need to be clarified or replaced. For illustration, bullet 4 could be replaced with "incorrect extensions (e.g., a TLS certificate with the codeSigning EKU or a CA certificate without the basicConstraints extension);" What other improvements could we make to this section? There are other certificate problems we've seen more recently. Should those be added to the list? If so, which ones? Should any items be removed from the list? Thoughts? Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZJJ4Z4QkhyX7mpuMca3JpdE-E7KhVmLQ4P7UND82oZzw%40mail.gmail.com.
