Kathleen Wilson於 2017年2月3日星期五 UTC+8上午6時36分54秒寫道:
> On Tuesday, December 13, 2016 at 2:36:15 PM UTC-8, Kathleen Wilson wrote:
> > Thanks to all of you who have reviewed and commented on this request from
> > Government of Taiwan, Government Root Certification Authority (GRCA), to
> > include their renewed Government Root Certification Authority root
> > certificate, and turn on the Websites and Email trust bits.
> >
> > To summarize this discussion so far, two primary concerns have been raised,
> > as follows.
> >
> > 1) There are several intermediate certificates that are technically capable
> > of issuing TLS certificates, but have not been audited according to the
> > BRs. This is a show-stopper.
> >
> > Reference:
> > https://wiki.mozilla.org/CA:BaselineRequirements#Whole-Population_Audit_of_Intermediate_Certs
> > “BR Audits must always include the whole-population audit of intermediate
> > certificates that are capable of issuing SSL certs.”
> >
> > This means that if the intermediate certificate is not technically
> > constrained via EKU (and name constraints) then it must be audited
> > according to the BRs.
> >
> > We have resolved this particular situation in the past by having the CA get
> > an audit statement saying that the intermediate certificate has not issued
> > TLS certificates during the audit period. And requiring that the CA get
> > such an audit statement annually.
> >
>
> The CA has been working with their auditor to get an appropriate audit
> statement that covers all of the intermediate certs chaining up to this root.
>
In accordance with Kathleen's advice, our auditor has provided such a audit
statement.(https://bug1065896.bmoattachments.org/attachment.cgi?id=8835815)
> >
> > 2) The new root certificate has the same exact full distinguished name as
> > the old root certificate. I think this is OK.
> >
> > The CA tested this with Firefox, and provided their test results:
> > https://bugzilla.mozilla.org/attachment.cgi?id=8818360
> >
>
> The new root cert having the same DN as the old root cert appears to work
> from a technical standpoint (i.e. mozilla::pkix will find the right path if
> all necessary certificates are present). However, the duplicate names have
> already caused unnecessary confusion:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1304264
>
> This "new" root certificate was created in 2012, is included in Microsoft's
> program, and has several active intermediate certs. So it might not be
> reasonable to ask the CA to generate a new root certificate at this point in
> time. However, I urge the CA to take note, and not repeat this with the next
> generation of their root certificate.
>
> Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy