RE: Clarify that a ccTLD is not acceptable in permittedSubtrees

Hi all, The https://wiki.mozilla.org/CA:NameConstraints discussion is all about SSL. My post earlier on in this thread was to ensure we cover SSL and S/MIME differently due to the reality of the different threat models. I agree that adding a ccTLD to a

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

On 2015-11-11 19:46, Steve Roylance wrote: Hypothetically, a government organization wishing to issue S/MIME certificates to citizens on a range of ccTLD based domains could be technically constrained through the inclusion of EKU's I just wondering how you would imagine this would work. Would

RE: Clarify that a ccTLD is not acceptable in permittedSubtrees

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve.roylance=globalsign@lists.mozilla.org] On Behalf Of Kurt > Roeckx > Sent: 12 November 2015 11:41 > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Clarify that a ccTLD is not

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

On 10/11/2015 10:08 μμ, Kathleen Wilson wrote: All, I have been asked to consider updating Mozilla's CA Certificate Policy to clarify that a ccTLD is not acceptable in permittedSubtrees for technically constraining subordinate CA certs. In section 7.1.5 of version 1.3 of the Baseline

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

On 10/11/15 23:44, Ryan Sleevi wrote: > If a CA has issued such a cert to an applicant that they didn't vet as > being the authorized representative of the relevant national > administrator, then that's arguably no different than issuing a cert to > someone who isn't the authorized domain holder -

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

On Wed, Nov 11, 2015 at 12:21 AM, Adriano Santoni wrote: > The issue I raised is not whether ccTLD are allowed in the BRs (they > apparently are, to date) or what kind of entity could be allowed a ccTLD in > their SubCA certificate's permittedSubtrees. > > My point

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

You're right, but I was actually referring to a third party audit - required for non technically constrained SubCAs. Adriano Il 11/11/2015 16:08, Peter Bowen ha scritto: On Wed, Nov 11, 2015 at 12:21 AM, Adriano Santoni

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

On Wed, Nov 11, 2015 at 3:11 AM, Gervase Markham wrote: > "Presence on the ICANN section of the list" gets closer, but this > doesn't solve the brand-TLD problem. > > Ideally, we would know which TLDs were public-registration and which > were not; ICANN has made noises about

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

That's a somewhat paradoxical scenario, but I suppose it's not altogether impossible. It is yet another reason why ccTLDs should not be allowed (IMO) in NameConstraints.permittedSubtrees of a SubCA certificate. But of course, prohibiting ccTLDs in

RE: Clarify that a ccTLD is not acceptable in permittedSubtrees

Hi Gerv, Disclaimer...GlobalSign is not the CA behind the ccTLD constraints but we do have some questions on this subject area w.r.t S/MIME rather than SSL. As the BR's do not apply to S/MIME and the threat model of SSL and S/MIME use cases is vastly different we should not try to cover with a

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

Hi Kathleen. Apologies, as I should have sent my previous request concerning hypothetical S/MIME ccTLD usage in response to this post. My main concern was not to cover S/MIME and SSL Server Certificates with a single rule. I hope that came across clearly. Thanks. Steve Sent from my

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

Regardless of whether technically allowed by the BRs -- a technically constrained subordinate CA that is not (directly) audited that is allowed to issue a valid *.us certificate would, if actually discovered in the wild, create some shockwaves. Really, any *.us certificate would create

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

The issue I raised is not whether ccTLD are allowed in the BRs (they apparently are, to date) or what kind of entity could be allowed a ccTLD in their SubCA certificate's permittedSubtrees. My point is whether a SubCA having a ccTLD in its

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

I understand the impulse here, but technically, ccTLDs are under the control of specific administrators per country: """ The country code domains (for example, FR, NL, KR, US) are each organized by an administrator for that country. These administrators may further delegate the

Clarify that a ccTLD is not acceptable in permittedSubtrees

All, I have been asked to consider updating Mozilla's CA Certificate Policy to clarify that a ccTLD is not acceptable in permittedSubtrees for technically constraining subordinate CA certs. In section 7.1.5 of version 1.3 of the Baseline Requirement it says: "(a) For each dNSName in

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

On Tue, November 10, 2015 12:15 pm, Richard Barnes wrote: > I understand the impulse here, but technically, ccTLDs are under the > control of specific administrators per country: > > """ > The country code domains (for example, FR, NL, KR, > US) are each organized by an administrator