I can’t speak to the extension-value details, but I agree with it being a good change.
Mike On Thu, Dec 19, 2024 at 12:17 AM 'Ben Wilson' via [email protected] <[email protected]> wrote: > All, > > Here for comment is a first draft of a proposal to phase-out multi-purpose > root CA certificates. This is tied to GitHub Issue #279 > <https://github.com/mozilla/pkipolicy/issues/279>, referenced in the > subject line above. > > This proposal is that a new Section 7.5 be added to the Mozilla Root Store > Policy (MRSP). Other conforming changes would be made elsewhere in the MRSP > to remove any implication that a root CA certificate could have both the > websites trust bit and the email-protection trust bit after January 1, 2027. > > Please provide any comments or suggestions you might have to improve or > change this proposal. > > Thanks, > > Ben > > > *7.5 Dedicated Root Certificates* > > Effective immediately, all root CA certificates being considered for > inclusion in Mozilla's Root Store MUST be dedicated either to TLS server > authentication or to S/MIME email protection. Existing root CA certificates > that do not comply with this requirement MUST be replaced or transition to > a dedicated hierarchy prior to January 1, 2027. > > *7.5.1 TLS Server Authentication Roots* > > Root CA certificates dedicated to TLS server authentication with the > websites trust bit enabled MUST meet the following criteria: > > 1. All subordinate CA certificates MUST: > - Include the extendedKeyUsage extension and assert only: > - id-kp-serverAuth; or > - Both id-kp-serverAuth and id-kp-clientAuth. > - Not share a public key with any certificate that asserts a > different extendedKeyUsage value. > 2. All end-entity certificates issued MUST: > - Include the extendedKeyUsage extension and assert only: > - id-kp-serverAuth; or > - Both id-kp-serverAuth and id-kp-clientAuth. > > *7.5.2 S/MIME Roots* > > Root CA certificates dedicated to S/MIME with the email protection trust > bit enabled MUST meet the following criteria: > > 1. All subordinate CA certificates MUST: > - Include the extendedKeyUsage extension and assert only: > - id-kp-emailProtection; or > - Both id-kp-emailProtection and id-kp-clientAuth. > - Not share a public key with any certificate that asserts a > different extendedKeyUsage value. > 2. All end-entity certificates issued MUST: > - Include the extendedKeyUsage extension and assert only: > - id-kp-emailProtection; or > - Both id-kp-emailProtection and id-kp-clientAuth. > > *7.5.3 Transition Plan for Existing Multi-Purpose Roots* > > Root CA certificates included in Mozilla's Root Store as of January 1, > 2025, with both the websites and the email trust bits enabled, MAY continue > to be trusted after January 1, 2026, if by such date the CA operator has > submitted a transition plan that demonstrates a feasible migration to a > dedicated hierarchy that will be completed prior to January 1, 2027. > > Transition plans MUST address the following: > > 1. Existing submissions of requests for inclusion of new > single-purpose roots; > 2. Requests to remove the websites trust bit or the email trust bit > from a multi-purpose root; and > 3. Timelines for phasing out multiple uses of the root--dates by which > certificates that do not meet the requirements of Sections 7.5.1 or 7.5.2 > will be revoked, expire, be replaced, or for which issuance will cease. > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYWFREw%2B0KOU61bVgjZXxHZuvQyXmQDSbMgMZqVk18FTQ%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYWFREw%2B0KOU61bVgjZXxHZuvQyXmQDSbMgMZqVk18FTQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqt_NZxJQ8L8ZX7UxDqKPsHTvNMSZTmedJoJ6r3g98kvhQ%40mail.gmail.com.
