Re: When does Technically Constrained != Technically Constrained?

On 23/05/16 22:41, Richard Barnes wrote: On Mon, May 23, 2016 at 5:28 PM, Rob Stradling wrote: Why invent a new thing? Even if we make an old thing new, there's still the transition :) That's true, but it would be an easier transition. -- Rob Stradling Senior Research & Development

Re: When does Technically Constrained != Technically Constrained?

On 19/05/16 17:39, Kathleen Wilson wrote: My interpretation of the above regarding root certificates with only the Email trust bit enabled or intermediate certificates with only id-kp-emailProtection EKU is that in order to be technically constrained, the CA has to make sure (via technical

Re: When does Technically Constrained != Technically Constrained?

On Thursday, May 19, 2016 at 6:58:36 AM UTC-7, Rob Stradling wrote: > Specifically, what are the disclosure requirements for intermediates > that can only issue id-kp-emailProtection and/or id-kp-codeSigning > end-entity certs? Quotes form policy and supporting wiki page: ~~

RE: When does Technically Constrained != Technically Constrained?

@lists.mozilla.org] On Behalf Of Rob Stradling Sent: Thursday, May 19, 2016 9:54 AM To: Dimitris Zacharopoulos <ji...@it.auth.gr> Cc: mozilla-dev-security-pol...@lists.mozilla.org <dev-security-policy@lists.mozilla.org> Subject: Re: When does Technically Constrained != Technically Constrained?

Re: When does Technically Constrained != Technically Constrained?

On 19/05/16 15:23, Dimitris Zacharopoulos wrote: On 19/5/2016 4:36 μμ, Rob Stradling wrote: On 18/05/16 17:23, Dimitris Zacharopoulos wrote: This intermediate seems technically constrained for SSL and S/MIME certificates, which are the only type of certs under the current Mozilla policy.

Re: When does Technically Constrained != Technically Constrained?

On 18/05/16 19:38, Kathleen Wilson wrote: On Wednesday, May 18, 2016 at 7:17:01 AM UTC-7, Rob Stradling wrote: However, then that page says... "Intermediate certificates are considered to be technically constrained, and do not need to be added to the CA Community in Salesforce if: - The

Re: When does Technically Constrained != Technically Constrained?

On 18/05/16 17:23, Dimitris Zacharopoulos wrote: This intermediate seems technically constrained for SSL and S/MIME certificates, which are the only type of certs under the current Mozilla policy. Dimitris, are we looking at the same version of the Mozilla policy? I'm looking at this one:

Re: When does Technically Constrained != Technically Constrained?

On Wednesday, May 18, 2016 at 7:17:01 AM UTC-7, Rob Stradling wrote: > The following intermediate certificate is not "technically constrained" > according to the Policy. It contains id-kp-codeSigning, but does not > "contain a directoryName permittedSubtrees constraint where each >

Re: When does Technically Constrained != Technically Constrained?

This intermediate seems technically constrained for SSL and S/MIME certificates, which are the only type of certs under the current Mozilla policy. Having extra nameConstraints for this particular intermediate, seems to be unnecessary, for the Mozilla root program. DZ. > On 18 Μαΐ 2016,

When does Technically Constrained != Technically Constrained?

The following intermediate certificate is not "technically constrained" according to the Policy. It contains id-kp-codeSigning, but does not "contain a directoryName permittedSubtrees constraint where each permittedSubtree contains the organizationName, localityName (where relevant),