Disclose also TCSC to CCADB #229
Conversation
As discussed on the list (https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XsVpyOGlagE/m/xw8JGJYZBAAJ) it seems to be reasonable to require also technically constraint sub CAs to be disclosed to CCADB if they chain up to a root in Mozilla's root store.
|
@BenWilson-Mozilla as discussed on the list |
|
This proposed change would also require a change in section 5 of the CCADB Policy document - https://www.ccadb.org/policy, which currently excepts from reporting when "The certificate is technically-constrained as described in section 7.1.5 of the CA/Browser Forum Baseline Requirements, ..." |
If I don't misread the CCADB policy, then CCADB is not forbidding to upload technically constrained CAs. They don't require it, but one can upload technically constrained CA. This would mean, we can do this change to the Mozilla Root Store Policy without adapting the CCADB policy. |
|
That's fine. I don't disagree, but we ought to change it in all places so that it is consistent and clear. |
I can't open a PR for the CCADB policy. Can you do so? |
|
Just for reference: |
This language is meant to address Mozilla policy Issue mozilla#229.
Fixed wrong date.
|
@BenWilson-Mozilla is it truly the intend of Mozilla, that a technical constrained CA doesn't have to be audited? |
I think that is currently the stated policy, although there is nothing to prevent that from changing in the future. Looking at it from a standard, WebTrust audit perspective, I think all subordinate CAs should be listed and included in the audit. However, if a CA isn't "technically capable" because it has an EKU which is not the serverAuth EKU or anyEKU EKU, then I wouldn't expect to see it in a WebTrust Baseline Requirements audit. |
Based on the definition of chapter 5.3.1 MRSP paragraph 2 a CA would also be "technically constrained" if it includes both: the EKU serverAuth and name constraints. This would mean, that the operation of an TLS Issuing CA with name constraints would not have to be covered by an audit. Only the issuance of this Issuing CA would be covered in the audit of the intermediate CA. And in case the issuing CA is operated by a organization different to the intermediate CA, it could end up in a situation, where a Issuing CA is operated by an organization that is not audited at all.
The ETSI audit of the intermediate CA would only mention (actually I don't even see a requirement to do so), that the issuing CA was generated but it would not cover the operational compliance to the BRGs of the issuing CA. And the same would be true for S/MIME CAs. |
Does anyone have suggested language changes to propose that might address any concerns? |
My remarks are not 'concerns'. I'm only trying to understand the intend of Mozilla. If the intent is, that the operations of a name constrained, technically constrained TLS CA doesn't have to be audited, the current language is in principle okay. Only if this is not the intent, we would have to update the language. |
|
@RufusJWB I believe the intent is to disclose, as part of the operations of the issuing CA, all technically-constrained sub-CAs issued, not to require that the sub-CA is audited. Maybe I misunderstood #229 (comment) but I thought Ben’s remark was for possible changes in the future, not the present. |
Thanks for the clarification. There may be nuanced situations that will make it important for a TCSC to be audited, so I'm not closing the door. However, Section 8 of the Baseline Requirements currently states that a TLS CA must either have an audit or be technically constrained. I am thinking that if Mozilla desired to change its policy, that we would approach the CA/Browser Forum for a discussion and ballot on this issue. |
Understood! Thank you for clarification. In that case, I think the proposed language of yours is totally fine. |
Proposed changes to address Issue mozilla#229 re: MRSP section 5.3
Made additional edits to section 5.3 (addressing Issue mozilla#229)
Removed duplicate language in section 5.3 re: disclosure in the CCADB related to Issue mozilla#229.
As discussed on the list (https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XsVpyOGlagE/m/xw8JGJYZBAAJ) it seems to be reasonable to require also technically constraint sub CAs to be disclosed to CCADB if they chain up to a root in Mozilla's root store.