Re: MRSP Issue #147 - Require EV audits for certificates capable of issuing EV certificates

2021-01-24 Thread Ben Wilson via dev-security-policy
In addition to the original proposal, I propose that we hyperlink "capable
of issuing EV certificates" to
https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable.

On Thu, Nov 12, 2020 at 11:23 AM Ben Wilson  wrote:

>
> On Thu, Nov 12, 2020 at 2:03 AM Dimitris Zacharopoulos via
> dev-security-policy  wrote:
>
>> I see that this is related to
>> https://github.com/mozilla/pkipolicy/issues/152, so I guess Mozilla
>> Firefox does not enable "EV Treatment" if an Intermediate CA Certificate
>> does not assert the anyPolicy or the CA's EV policy OID, including the
>> CA/B Forum EV OID, regardless of what the end-entity certificate asserts.
>>
>> That's correct.
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: MRSP Issue #147 - Require EV audits for certificates capable of issuing EV certificates

2020-11-12 Thread Ben Wilson via dev-security-policy
On Thu, Nov 12, 2020 at 2:03 AM Dimitris Zacharopoulos via
dev-security-policy  wrote:

> I see that this is related to
> https://github.com/mozilla/pkipolicy/issues/152, so I guess Mozilla
> Firefox does not enable "EV Treatment" if an Intermediate CA Certificate
> does not assert the anyPolicy or the CA's EV policy OID, including the
> CA/B Forum EV OID, regardless of what the end-entity certificate asserts.
>
> That's correct.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: MRSP Issue #147 - Require EV audits for certificates capable of issuing EV certificates

2020-11-12 Thread Dimitris Zacharopoulos via dev-security-policy
On 12/11/2020 10:41 π.μ., Dimitris Zacharopoulos via dev-security-policy 
wrote:
Finally, I would like to highlight that policy OID chaining is not 
currently supported in the webPKI by Browsers, so even if a CA adds a 
particular non-EV policyOID in an Intermediate CA Certificate, this 
SubCA would still be technically capable of issuing an end-entity 
certificate asserting an EV policy OID, and that certificate would 
probably get EV treatment from existing browsers. Is this correct? 


I see that this is related to 
https://github.com/mozilla/pkipolicy/issues/152, so I guess Mozilla 
Firefox does not enable "EV Treatment" if an Intermediate CA Certificate 
does not assert the anyPolicy or the CA's EV policy OID, including the 
CA/B Forum EV OID, regardless of what the end-entity certificate asserts.


Dimitris.


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: MRSP Issue #147 - Require EV audits for certificates capable of issuing EV certificates

2020-11-12 Thread Dimitris Zacharopoulos via dev-security-policy

On 6/10/2020 11:38 μ.μ., Ben Wilson via dev-security-policy wrote:

  #147  - Require EV audits
for certificates capable of issuing EV certificates – Clarify that EV
audits are required for all intermediate certificates that are technically
capable of issuing EV certificates, even when not currently issuing EV
certificates.

This issue is presented for resolution in the next version of the Mozilla
Root Store Policy.

Suggested language is presented here:
https://github.com/BenWilson-Mozilla/pkipolicy/commit/a83eca6d7d8bf2a3b30529775cb55b0c8a5f982b


The proposal is to replace "if issuing EV certificates" with "if capable of
issuing EV certificates" in two places -- for WebTrust and ETSI audits.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy



Judging from the earlier discussion that took place in September 2020, I 
understand that some CAs have an EV-enabled hierarchy (meaning that the 
Root CA is in scope of the EV Guidelines and is included in an audit 
with "EV scope"), has issued some Intermediate CAs that issue EV 
Certificates and are included in the audit with "EV scope", and some 
Intermediate CAs that have never issued EV Certificates, nor are they 
intended to issue EV Certificates and were not listed in the "EV scope" 
of the audit.


I realize that this policy change, will require Intermediate CAs that 
have never issued nor intend to issue EV Certificates, to be included in 
an EV scope audit with the sole purpose of asserting that no TLS 
Certificates have been issued in scope of the EV Guidelines, which 
translates into making sure that no end-entity certificate has been 
issued asserting the EV policy OID in the certificatePolicies extension. 
Is that a fair statement?


Is there going to be an effective date after which Intermediate CA 
Certificates which were not intended to issue EV Certificates, will be 
required to have an EV audit?


Assuming my previous statement is fair, would it suffice for an auditor 
to examine the corpus of non-expired/non-revoked Certificates off of 
these "non-EV" Issuing CAs to ensure that no end-entity certificate has 
been issued asserting the EV policy OID according to the CA's CP/CPS?


Finally, I would like to highlight that policy OID chaining is not 
currently supported in the webPKI by Browsers, so even if a CA adds a 
particular non-EV policyOID in an Intermediate CA Certificate, this 
SubCA would still be technically capable of issuing an end-entity 
certificate asserting an EV policy OID, and that certificate would 
probably get EV treatment from existing browsers. Is this correct?



Thank you,
Dimitris.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy