Hi all,
The https://wiki.mozilla.org/CA:NameConstraints discussion is all about SSL.
My post earlier on in this thread was to ensure we cover SSL and S/MIME
differently due to the reality of the different threat models.
I agree that adding a ccTLD to a
On 2015-11-11 19:46, Steve Roylance wrote:
Hypothetically, a government organization wishing to issue S/MIME
certificates to citizens on a range of ccTLD based domains could be
technically constrained through the inclusion of EKU's
I just wondering how you would imagine this would work. Would
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve.roylance=globalsign@lists.mozilla.org] On Behalf Of Kurt
> Roeckx
> Sent: 12 November 2015 11:41
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Clarify that a ccTLD is not
On 10/11/2015 10:08 μμ, Kathleen Wilson wrote:
All,
I have been asked to consider updating Mozilla's CA Certificate Policy
to clarify that a ccTLD is not acceptable in permittedSubtrees for
technically constraining subordinate CA certs.
In section 7.1.5 of version 1.3 of the Baseline
On 10/11/15 23:44, Ryan Sleevi wrote:
> If a CA has issued such a cert to an applicant that they didn't vet as
> being the authorized representative of the relevant national
> administrator, then that's arguably no different than issuing a cert to
> someone who isn't the authorized domain holder -
On Wed, Nov 11, 2015 at 12:21 AM, Adriano Santoni
wrote:
> The issue I raised is not whether ccTLD are allowed in the BRs (they
> apparently are, to date) or what kind of entity could be allowed a ccTLD in
> their SubCA certificate's permittedSubtrees.
>
> My point
You're right, but I was actually referring to a
third party audit - required for non technically constrained
SubCAs.
Adriano
Il 11/11/2015 16:08, Peter Bowen ha
scritto:
On Wed, Nov 11, 2015 at 12:21 AM, Adriano Santoni
On Wed, Nov 11, 2015 at 3:11 AM, Gervase Markham wrote:
> "Presence on the ICANN section of the list" gets closer, but this
> doesn't solve the brand-TLD problem.
>
> Ideally, we would know which TLDs were public-registration and which
> were not; ICANN has made noises about
That's a somewhat paradoxical scenario, but I
suppose it's not altogether impossible.
It is yet another reason why ccTLDs should not be allowed (IMO) in
NameConstraints.permittedSubtrees of a SubCA certificate.
But of course, prohibiting ccTLDs in
Hi Gerv,
Disclaimer...GlobalSign is not the CA behind the ccTLD constraints but we do
have some questions on this subject area w.r.t S/MIME rather than SSL. As
the BR's do not apply to S/MIME and the threat model of SSL and S/MIME use
cases is vastly different we should not try to cover with a
Hi Kathleen.
Apologies, as I should have sent my previous request concerning hypothetical
S/MIME ccTLD usage in response to this post.
My main concern was not to cover S/MIME and SSL Server Certificates with a
single rule.
I hope that came across clearly.
Thanks.
Steve
Sent from my
Regardless of whether technically allowed by the BRs -- a technically
constrained subordinate CA that is not (directly) audited that is allowed
to issue a valid *.us certificate would, if actually discovered in the
wild, create some shockwaves.
Really, any *.us certificate would create
The issue I raised is not whether ccTLD are
allowed in the BRs (they apparently are, to date) or what kind of
entity could be allowed a ccTLD in their SubCA certificate's
permittedSubtrees.
My point is whether a SubCA having a ccTLD in its
I understand the impulse here, but technically, ccTLDs are under the
control of specific administrators per country:
"""
The country code domains (for example, FR, NL, KR,
US) are each organized by an administrator for that country. These
administrators may further delegate the
All,
I have been asked to consider updating Mozilla's CA Certificate Policy
to clarify that a ccTLD is not acceptable in permittedSubtrees for
technically constraining subordinate CA certs.
In section 7.1.5 of version 1.3 of the Baseline Requirement it says:
"(a) For each dNSName in
On Tue, November 10, 2015 12:15 pm, Richard Barnes wrote:
> I understand the impulse here, but technically, ccTLDs are under the
> control of specific administrators per country:
>
> """
> The country code domains (for example, FR, NL, KR,
> US) are each organized by an administrator
16 matches
Mail list logo