Let us consider the case that the CA unsets the critical flag unintendedly,
e.g. using the default configuration. Which means there are no explizit
reasons. Is it required that the CA to create an incident report to mozilla?
On Tue, 9 Apr 2019, 19:14 Ryan Sleevi wrote:
>
>
> On Tue, Apr 9, 2019
On Tue, 9 Apr 2019 14:07:55 -0400
Ryan Sleevi via dev-security-policy
wrote:
> I think it's merely a misparsing of the description.
>
> The intermediate you referenced - https://crt.sh/?id=197857126 -
> chains to a "root in Mozilla's program with the Websites trust bit
> set". That root is https
On Tuesday, April 9, 2019 at 12:08:16 PM UTC-6, Ryan Sleevi wrote:
> On Tue, Apr 9, 2019 at 11:25 AM Nick Lamb via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Mozilla's wiki has a page about the subCAs
> >
> > https://wiki.mozilla.org/CA/Intermediate_Certificates
>
On Tue, Apr 9, 2019 at 11:25 AM Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Mozilla's wiki has a page about the subCAs
>
> https://wiki.mozilla.org/CA/Intermediate_Certificates
>
> On that page I see a link labelled:
>
> "Non-revoked, non-expired Intermediat
On Tue, Apr 9, 2019 at 10:39 AM Lijun Liao wrote:
> Just makes it clear: The extension KeyUsage is optional in subscriber's
> certificate. But what happens if it is present and is NOT critical?
>
RFC 5280 says SHOULD, not MUST. RFC 2119 defines SHOULD as:
3. SHOULD This word, or the adjective
Mozilla's wiki has a page about the subCAs
https://wiki.mozilla.org/CA/Intermediate_Certificates
On that page I see a link labelled:
"Non-revoked, non-expired Intermediate CA Certificates chaining up to
roots in Mozilla's program with the Websites trust bit set"
And clicking that link produces
Just makes it clear: The extension KeyUsage is optional in subscriber's
certificate. But what happens if it is present and is NOT critical?
On Tue, 9 Apr 2019, 16:29 Ryan Sleevi wrote:
> 1. Open
> https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.4.pdf
> 2. Search for "KeyUsage"
>
1. Open
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.4.pdf
2. Search for "KeyUsage"
- 11 occurrences
#1
7.1.2.1 Root CA Certificate
b. keyUsage
This extension MUST be present and MUST be marked critical ...
#3
7.1.2.2 Subordinate CA Certificate
e. keyUsage
This extensio
The extension KeyUsage in subscriber's certificate SHOULD be marked as
critical as in RFC 5280. What if it is not set? Does this violate the
Baseline Requirements or any rules used by Mozilla Security Policy?
Best regards
Lijun
___
dev-security-policy ma
9 matches
Mail list logo