[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?
sleevi at google.com
Thu Nov 20 09:40:51 MST 2014
On Nov 20, 2014 6:03 AM, "Gervase Markham" <gerv at mozilla.org> wrote:
> On 19/11/14 23:21, Jeremy Rowley wrote:
> > I think Ryan’s suggestion is best. If all intermediates capable of SSL
> > issuance are BR audited, then there isn’t an issue. You still need to
> > disclose their existence in accordance with the Mozilla policy, but
> > there won’t be a need to reissue the certs.
> > Plus, all the groups I contacted responded that their intermediates are
> > already compliant and wouldn’t have issues with a BR audit. I’d support
> > moving forward with Ryan’s proposal.
> How does Ryan's proposal differ from Brian's?
> Brian's proposal, as I now understand it, is basically that we make what
> Mozilla requires (in terms of constrain or disclose-and-audit) part of
> the BRs rather than just Mozilla policy. And we define that the BRs
> cover all publicly-trusted roots, all disclosed-and-audited
> intermediates, and certificates issued from them.
Correct. That's what I proposed and explained during the Mountain View F2F.
That addresses the short-term auditing gap without requiring mass
reissuance by CAs and dealing with the attendant PKI complexities involved
when customers fail to update their sites.
I realize mozilla::pkix leaves Firefox in a better place than it was
historically. Buy there are still a number of clients (notable among them
both Android and iOS, but also OS X) that are more finicky.
The changing of the certificates themselves can then be accomplished over a
slower time period, and carefully.
Coupling the audit coverage clarification to a massive certificate change
does not seem advisable, which is why I proposed this even prior to Mozilla
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public