Hi Ben, In giving the draft 2.8 policy another read, I found a potential inconsistency that should be resolved. Section 5.3.1 [1] says:
"If the intermediate CA certificate includes the id-kp-serverAuth extended key usage, then to be considered technically constrained, the certificate MUST be Name Constrained as described in section 7.1.5 of version 1.3 or later of the Baseline Requirements. The id-kp-clientAuth EKU MAY also be present. The conformance requirements defined in section 2.3 of this policy also apply to technically constrained intermediate certificates. If the intermediate CA certificate includes the id-kp-emailProtection extended key usage, then to be considered technically constrained, it MUST include the Name Constraints X.509v3 extension with constraints on rfc822Name, with at least one name in permittedSubtrees, each such name having its ownership validated according to section 3.2.2.4 of the Baseline Requirements. The values id-kp-serverAuth and anyExtendedKeyUsage MUST NOT be present. id-kp-clientAuth MAY be present. Other values that the CA is allowed to use and are documented in the CA’s CP, CPS, or combined CP/CPS MAY be present." In particular, the sentence "Other values that the CA is allowed to use and are documented in the CA’s CP, CPS, or combined CP/CPS MAY be present." should also be added to the paragraph for id-kp-serverAuth. Without that sentence, a "default deny" interpretation of that paragraph may lead some readers to the conclusion that other EKU values are not allowed. Thanks, Corey [1] https://github.com/BenWilson-Mozilla/pkipolicy/blob/2.8/rootstore/policy.md#531-technically-constrained On Wednesday, April 13, 2022 at 1:18:39 PM UTC-4 [email protected] wrote: > All, > > Here are links helpful during your final review of version 2.8 of the > Mozilla Root Store Policy (MRSP) : > > https://github.com/BenWilson-Mozilla/pkipolicy/blob/2.8/rootstore/policy.md > https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.8 > (redlined) > > Please review the changes and provide any additional comments by the end > of Tuesday, April 19, 2022. > > My plan is to move this version over to the Mozilla pkipolicy repository > on Github <https://github.com/mozilla/pkipolicy/tree/master/rootstore>, > and then I'll request that it be published on Mozilla's website > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/> > > to replace version 2.7.1. > > Thanks, > > Ben > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/76307e8e-4aa4-4b63-a9cc-b071af54d5e2n%40mozilla.org.
