> A recently-relevant example could be "an OCSP Delegated Responder without the > id-pkix-ocsp-nocheck extension".
This is a good example for a BR profile violation. However, since the Mozilla Root Program also includes SMIME certificate issuance and there is currently no requirement for ocsp-nocheck to be included in OCSP Delegated Responder certificates for SMIME, this example may cause confusion. > I think it is important to remove/improve the "SSL certificates that exclude > SSL usage", given that a cert which does not have the TLSServerAuth EKU is by > definition not an SSL certificate, so it's not crystal clear what the example > means. Agreed. Perhaps “SSL certificates that exclude SSL usage” can be changed to: “TLS certificates with no subjectAltName extension” Thanks, Corey From: 'Aaron Gable' via [email protected] <[email protected]> Sent: Thursday, January 13, 2022 8:12 PM To: Ben Wilson <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: Policy 2.8: MRSP Issue #226: Update the incorrect extensions item in section 5.2 A recently-relevant example could be "an OCSP Delegated Responder without the id-pkix-ocsp-nocheck extension". I think it is important to remove/improve the "SSL certificates that exclude SSL usage", given that a cert which does not have the TLSServerAuth EKU is by definition not an SSL certificate, so it's not crystal clear what the example means. Aaron On Wed, Jan 5, 2022 at 8:02 PM Ben Wilson <[email protected] <mailto:[email protected]> > wrote: All, This email introduces discussion of another issue to be resolved by the next version of the Mozilla Root Store Policy (MSRP), version 2.8. (See <https://github.com/mozilla/pkipolicy/labels/2.8> https://github.com/mozilla/pkipolicy/labels/2.8) This is Github Issue #226 <https://github.com/mozilla/pkipolicy/issues/226> . Section 5.2 of the MSRP <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#52-forbidden-and-required-practices> lists the following certificate-related errors: "CAs MUST NOT issue certificates that have: * ASN.1 DER encoding errors; * invalid public keys (e.g., RSA certificates with public exponent equal to 1); * duplicate issuer names and serial numbers (except that a Certificate Transparency pre-certificate is allowed to match the corresponding certificate); * incorrect extensions (e.g., SSL certificates that exclude SSL usage, or authority key IDs that include both the key ID and the issuer’s issuer name and serial number); or * cRLDistributionPoints or OCSP authorityInfoAccess extensions for which no operational CRL or OCSP service exists." Specifically, this issue arose during a discussion of the fourth bullet - "incorrect extensions" and whether the example was an accurate statement. The examples within the parentheses need to be clarified or replaced. For illustration, bullet 4 could be replaced with "incorrect extensions (e.g., a TLS certificate with the codeSigning EKU or a CA certificate without the basicConstraints extension);" What other improvements could we make to this section? There are other certificate problems we've seen more recently. Should those be added to the list? If so, which ones? Should any items be removed from the list? Thoughts? Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected] <mailto:[email protected]> " group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZJJ4Z4QkhyX7mpuMca3JpdE-E7KhVmLQ4P7UND82oZzw%40mail.gmail.com <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZJJ4Z4QkhyX7mpuMca3JpdE-E7KhVmLQ4P7UND82oZzw%40mail.gmail.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "[email protected] <mailto:[email protected]> " group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErcWAsbsxRa3Di-k71GaCg_Yjn35dwp07OASYDmTYbK%3DWQ%40mail.gmail.com <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErcWAsbsxRa3Di-k71GaCg_Yjn35dwp07OASYDmTYbK%3DWQ%40mail.gmail.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB21863D406AD93CD5A458D3DF92589%40DM6PR14MB2186.namprd14.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
