A recently-relevant example could be "an OCSP Delegated Responder without the id-pkix-ocsp-nocheck extension".
I think it is important to remove/improve the "SSL certificates that exclude SSL usage", given that a cert which does not have the TLSServerAuth EKU is by definition not an SSL certificate, so it's not crystal clear what the example means. Aaron On Wed, Jan 5, 2022 at 8:02 PM Ben Wilson <[email protected]> wrote: > All, > > This email introduces discussion of another issue to be resolved by the > next version of the Mozilla Root Store Policy (MSRP), version 2.8. (See > https://github.com/mozilla/pkipolicy/labels/2.8) > > This is Github Issue #226 > <https://github.com/mozilla/pkipolicy/issues/226>. > > Section 5.2 of the MSRP > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#52-forbidden-and-required-practices> > lists the following certificate-related errors: > > "CAs MUST NOT issue certificates that have: > > - ASN.1 DER encoding errors; > - invalid public keys (e.g., RSA certificates with public exponent > equal to 1); > - duplicate issuer names and serial numbers (except that a Certificate > Transparency pre-certificate is allowed to match the corresponding > certificate); > - incorrect extensions (e.g., SSL certificates that exclude SSL usage, > or authority key IDs that include both the key ID and the issuer’s issuer > name and serial number); *or* > - cRLDistributionPoints or OCSP authorityInfoAccess extensions for > which no operational CRL or OCSP service exists." > > Specifically, this issue arose during a discussion of the fourth bullet - > "incorrect extensions" and whether the example was an accurate statement. > The examples within the parentheses need to be clarified or replaced. For > illustration, bullet 4 could be replaced with "incorrect extensions (e.g., > a TLS certificate with the codeSigning EKU or a CA certificate without > the basicConstraints extension);" > > What other improvements could we make to this section? > There are other certificate problems we've seen more recently. Should > those be added to the list? If so, which ones? > Should any items be removed from the list? > > Thoughts? > > Thanks, > > Ben > > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZJJ4Z4QkhyX7mpuMca3JpdE-E7KhVmLQ4P7UND82oZzw%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZJJ4Z4QkhyX7mpuMca3JpdE-E7KhVmLQ4P7UND82oZzw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErcWAsbsxRa3Di-k71GaCg_Yjn35dwp07OASYDmTYbK%3DWQ%40mail.gmail.com.
