Hello Kai, On Friday, June 30, 2017 at 7:38:59 PM UTC+3, Kai Engert wrote: > Hello Gerv, > > I think the new format should be as complete as possible, including both trust > and distrust information, including EV and description of rules for partial > distrust. > > As of today, certdata.txt contains: > - whitelisted root CAs (trusted for one or more purposes) > - distrusted/blacklisted certificates (which can be either CAs, intermediate > CAs or end entity certificates), based on varying identification criteria > (sometimes we distrust all matches based on issuer/serial, > sometimes we are more specific and only distrust if the certificate also > matches exactly a specific hash) > > But it doesn't list the additional decisions that Mozilla has implemented in > code: > - additional domain name constraints > - additional validity constraints for issued certificates > - additional required whitelist matching
... > We could define identifiers for each class of trust restrictions (CTR), e.g.: > - permitted name constraint > - excluded name constraints > - restricted to serial/name whitelist > - not valid for serial/name blacklist > - restrict validity period of root CA > - restrict allowed validity of issued EE or intermediates > - require successful revocation checking > - require successful Certificate Transparency lookup > - ... > > This list could be expanded in the future, so a list consumer that has > implemented all of the older CTRs could decide to not trust new CAs that have > unknown CTRs defined. Let me introduce an IETF draft https://datatracker.ietf.org/doc/draft-belyavskiy-certificate-limitation-policy/ The draft is in initial phase. I made a presentation based on it during the SAAG meeting on IETF 99. It describes a possible format for such list of limitations applied to trusted certificates. The specification is designed to avoid as much limitations hard-coded in applications as possible. So if there is any interest in improving in finalizing the draft, it will be great. I got at least some interest in it from the OpenSSL team. -- Sincerely yours, Dmitry Belyavskiy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
