Dear Mohamed, You have asked about whether an intermediate CA certificate with an EKU constraint of clientAuth and document signing (and no EKU for email security or serverAuth), would pull it out of scope for Mozilla, even if the end entity certificates do not have a standard EKU. I think it would be out of scope as far as Mozilla is concerned about the websites trust bit and the email trust bit. I think we would still want to see the intermediate CA certificate disclosed in the CCADB, and the sha2 hash would need to be included in the Webtrust v 2.2.1 standard audit. Also, I think it would be highly preferable to include some EKU in the end entity certificates (rather than having no EKU).
Does anyone see problems with this approach? Thanks, Ben On Tue, Feb 1, 2022 at 9:33 AM Mohamed Abdelshahid < [email protected]> wrote: > Dear Mozilla team, > > > I have a clarification that I need to discuss with you please. > > > We have a 2-level CA hierarchy where the Root CA sits at the top level > while Issuing CAs comes at the second level. > > As part of the regular issuing CA re-key, we are going to add technical > constraints to all issuing CAs in order to have separate Issuer CAs for > Server Authentication, Code Signing, and Time Stamping uses. That will be > reflected to the Issuing CAs’ certificates as follows: > > *Issuing CA* > > *EKU* > > Devices Certification Authority > > serverAuth > > clientAuth > > Corporate Certification Authority > > clientAuth > > Microsoft Document Signing > > (1.3.6.1.4.1.311.10.3.12) > > Code Signing Certification Authority > > codeSigning > > Timestamping Certification Authority > > timeStamping > > > > According to our reading of Mozilla policy section 1.1, and given the > above constraints; we assume that the Corporate Certification Authority > and its underlying certificates (EE certificates) don’t fall under > Mozilla’s scope. Could you please confirm? > > Kindly note that the rationale behind our question is that there cases > where we will not be able to have an EKU in EE certificates issued by the > Corporate Certification Authority when the purpose/use of certificate is > not matching with any of the standard EKUs. > > > > Thank you in advance. > > > Kind Regards, > *Mohamed Abdelshahid* > > *محمد عبدالشهيد* > Principal PKI Consultant > *T:* +97144150400 P.O. Box 36996 > *M:* +971566824278 Dubai, UAE > *E:* [email protected] www.desc.gov.ae > [image: DXB-GOV-LOGO] [image: DESC-LOGO] <https://www.desc.gov.ae/> > > [image: YOUTUBE_LOGO] > <https://www.youtube.com/channel/UCJSh32jri440gAkpcoaGcSg> [image: > LINKEDIN_LOGO] <https://www.linkedin.com/company/descofficial/> [image: > TWITTER_LOGO] <https://twitter.com/DESCOfficial/> [image: FB_LOGO] > <https://www.facebook.com/DESCOfficial/> [image: INSTA_LOGO] > <https://www.instagram.com/DESCOfficial/> > > > > > > Disclaimer: > This email and any files transmitted with it may be confidential and > contain privileged or copyright information. If you are not the intended > recipient you must not copy, distribute or use this email or the > information contained in it for any purpose other than to notify us of the > receipt thereof, if you have received this message in error, please notify > the sender immediately, and delete this email from your system. Please note > that e-mails are susceptible to change, the sender shall not be liable for > the improper or incomplete transmission of the information contained in > this communication, nor for any delay in its receipt or damage to your > system. The sender does not guarantee that this material is free from > viruses or any other defects although due care has been taken to minimize > the risk. > > Please consider your environmental responsibility before printing this > e-mail. > > إخلاء المسؤولية: > إن المعلومات الواردة في هذا البريد الإلكتروني وأي ملفات مرفقة به هي > معلومات خاصة بالمرسل إليه أو المتعامل، وقد تحتوي على معلومات سرية أو مواد > محمية. إن لم تكن أحد المعنيين باستلام هذا البريد الإكتروني، فيمنع منعاً > باتاً نسخ أو توزيع أو اتخاذ إجراء بالاعتماد على المعلومات الواردة فيه، وإن > كان قد وصلك عن طريق الخطأ، فالرجاء المبادرة فوراً بإشعار المرسل بذلك، وحذف > البريد من جهازك. يرجى العلم بأن البريد الإلكتروني هو عنصر قابل للتغيير؛ > ولذا لن يكون المُرسل خاضعاً للمساءلة حال انتقال المعلومات في هذا البريد > بصورة غير ملائمة أو منتقصة، ولا تجاه أي تأخير في وصوله، أو تجاه أي عطل في > جهازك. إن مركز دبي للأمن الإلكتروني لا يتحمل مسؤولية أي أضرار ناتجة عن أي > فيروس أو برنامج قد يرسل بواسطة هذا البريد الإلكتروني. > > > > من فضلك خذ بعين الاعتبار مسؤوليتك تجاه البيئة قبل طباعة هذا البريد > الإلكتروني. > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/55dfa2e791e54c0995ddd7b13f14f610%40desc.gov.ae > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/55dfa2e791e54c0995ddd7b13f14f610%40desc.gov.ae?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaajNVxFxo-pfT--Gs1ydspDMvFoT9FSrrMTQhtH2JwkBw%40mail.gmail.com.
