Hello everyone,
This is the first time I am writing here. I've been reading for a time (part)
of this list and the Bugzilla section of the CA Program. I hope I can
cooperate. I am specially interested on the technical aspects and legal
implications that electronic certificates have on the EU, as laws are appearing
and the public opinion are unaware of that.
Well, back to the issue, I've seen Bug 1394595
(https://bugzilla.mozilla.org/show_bug.cgi?id=1394595) where Firmaprofesional
requests the addition of a subCA to OneCRL because the subCA is not technically
constrained and, for prevention, wants to avoid any misissuance of TLS
certificates. I congratulate Firmaprofesional for making this move in favor of
transparency and tech security. This becomes after that FNMT got one subCA
added to OneCRL because of the addition of anyExtendedKeyUsage to its personal
certs
(https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/Qo1ZNwlYKnY/UrAodnoQBwAJ).
And a similar subCA is on the way of being added to OneCRL for prevention.
But I find an issue here. The root has both websites and email trust bits. The
subCA cert is not constrained. The representative of the CA want to add the
subCA to OneCRL because this subCA doesn't issue TLS certificates. OneCRL and
the CA program acts on both Firefox (if websites trust bit enabled) and
Thunderbird (if email trust bit enabled). If a subCA is added to OneCRL, all
certs that chain up to it get untrusted -for both bits.
I am not quite sure how many people receive on their Thunderbird client emails
signed with a personal electronic certificate, but I think we can agree that
they are fewer than all Firefox users.
So, my questions are,
- Should CAs that ONLY have the websites trust bit get all its subCAs -that do
not issue TLS certificates and the intermediate certificate is not
technologically constrained- added to OneCRL just for prevention? Should this
become mandatory?
- Should CAs that have BOTH trust bits get all its subCAs -that issue personal
certificates but email-signing is not advertised to their consumers (e.g. the
consumer gets the certificate to be able to do some bureaucratic procedures
with the Government) and the intermediate certificate is not technologically
constrained- added to OneCRL just for prevention? Should this become mandatory?
- Should CAs that have BOTH trust bits get all its subCAs -that issue
certificates that are not TLS neither related to email signing and the
intermediate certificate is not technologically constrained- added to OneCRL
just for prevention? Should this become mandatory?
Greetings,
Víctor
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy