Re: Adding a subCA to OneCRL when email-signing users may be impacted

[Gervase Markham via dev-security-policy]

On 01/09/17 04:47, Víctor wrote:
> But I find an issue here. The root has both websites and email trust
> bits. The subCA cert is not constrained. The representative of the CA
> want to add the subCA to OneCRL because this subCA doesn't issue TLS
> certificates. OneCRL and the CA program acts on both Firefox (if
> websites trust bit enabled) and Thunderbird (if email trust bit
> enabled). 

I don't believe Thunderbird checks OneCRL, although someone may wish to
contradict me.

> - Should CAs that ONLY have the websites trust bit get all its subCAs
> -that do not issue TLS certificates and the intermediate certificate
> is not technologically constrained- added to OneCRL just for
> prevention? Should this become mandatory?

SubCAs which are technically capable of issuing TLS certificates,
whether the CA intends for them to do so or not, need to either be
name-constrained or need to be publicly disclosed and audited. If
neither of those things is possible, we might add it to OneCRL, but this
should not be seen as a simple and first-choice solution. Better is to
make subCAs which are not intended for TLS certificates, not technically
capable of issuing them in the first place.

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Adding a subCA to OneCRL when email-signing users may be impacted

[Víctor via dev-security-policy]

Hello everyone,

This is the first time I am writing here. I've been reading for a time (part) 
of this list and the Bugzilla section of the CA Program. I hope I can 
cooperate. I am specially interested on the technical aspects and legal 
implications that electronic certificates have on the EU, as laws are appearing 
and the public opinion are unaware of that.

Well, back to the issue, I've seen Bug 1394595 
(https://bugzilla.mozilla.org/show_bug.cgi?id=1394595) where Firmaprofesional 
requests the addition of a subCA to OneCRL because the subCA is not technically 
constrained and, for prevention, wants to avoid any misissuance of TLS 
certificates. I congratulate Firmaprofesional for making this move in favor of 
transparency and tech security. This becomes after that FNMT got one subCA 
added to OneCRL because of the addition of anyExtendedKeyUsage to its personal 
certs 
(https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/Qo1ZNwlYKnY/UrAodnoQBwAJ).
 And a similar subCA is on the way of being added to OneCRL for prevention.

But I find an issue here. The root has both websites and email trust bits. The 
subCA cert is not constrained. The representative of the CA want to add the 
subCA to OneCRL because this subCA doesn't issue TLS certificates. OneCRL and 
the CA program acts on both Firefox (if websites trust bit enabled) and 
Thunderbird (if email trust bit enabled). If a subCA is added to OneCRL, all 
certs that chain up to it get untrusted -for both bits.

I am not quite sure how many people receive on their Thunderbird client emails 
signed with a personal electronic certificate, but I think we can agree that 
they are fewer than all Firefox users.

So, my questions are,

- Should CAs that ONLY have the websites trust bit get all its subCAs -that do 
not issue TLS certificates and the intermediate certificate is not 
technologically constrained- added to OneCRL just for prevention? Should this 
become mandatory?

- Should CAs that have BOTH trust bits get all its subCAs -that issue personal 
certificates but email-signing is not advertised to their consumers (e.g. the 
consumer gets the certificate to be able to do some bureaucratic procedures 
with the Government) and the intermediate certificate is not technologically 
constrained- added to OneCRL just for prevention? Should this become mandatory?

- Should CAs that have BOTH trust bits get all its subCAs -that issue 
certificates that are not TLS neither related to email signing and the 
intermediate certificate is not technologically constrained- added to OneCRL 
just for prevention? Should this become mandatory?

Greetings,
Víctor
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy