Confirmed users, Administrators
5,526
edits
CA/CertificatePolicyV2.1: Difference between revisions
Jump to navigation
Jump to search
m
→Frequently Asked Questions
| Line 62: | Line 62: | ||
#* As stated in the CA/Browser Forum's Baseline Requirements document: Non-critical Name Constraints are an exception to RFC 5280 that MAY be used until the Name Constraints extension is supported by Application Software Suppliers whose software is used by a substantial portion of Relying Parties worldwide. | #* As stated in the CA/Browser Forum's Baseline Requirements document: Non-critical Name Constraints are an exception to RFC 5280 that MAY be used until the Name Constraints extension is supported by Application Software Suppliers whose software is used by a substantial portion of Relying Parties worldwide. | ||
#* The question about Name Constraints being marked critical was discussed in the [https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/UgqTBOdGH6s mozilla.dev.security.policy forum.] The critical bit does not mean 'important'. It means 'Break backwards compatibility'; i.e. if your software doesn't handle Name Constraints, but they are marked as critical, then reject the certificate. This means that certificates that are created with critical Name Constraints will not work in some widely-used browsers and application software. Therefore, we determined that in order to make forward progress in our policy, we would need to allow non-critical Name Constraints until Name Constraints are more broadly supported. We also decided to let this exception be handled in the CA/Browser Forum's Baseline Requirements document, and not specifically call it out in Mozilla's policy. | #* The question about Name Constraints being marked critical was discussed in the [https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/UgqTBOdGH6s mozilla.dev.security.policy forum.] The critical bit does not mean 'important'. It means 'Break backwards compatibility'; i.e. if your software doesn't handle Name Constraints, but they are marked as critical, then reject the certificate. This means that certificates that are created with critical Name Constraints will not work in some widely-used browsers and application software. Therefore, we determined that in order to make forward progress in our policy, we would need to allow non-critical Name Constraints until Name Constraints are more broadly supported. We also decided to let this exception be handled in the CA/Browser Forum's Baseline Requirements document, and not specifically call it out in Mozilla's policy. | ||
# How do I technically constrain | # How do I technically constrain a subordinate CA certificate that will only be used to issue end-user certificates intended for client authentication? | ||
#* For their subCA certificate to be considered technically constrained according to item #9 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy,] the subCA certificate must have the Extended Key Usage (EKU) extension with the id-kp-clientAuth KeyPurposeId (and whatever else they need), and the EKU extension must '''not''' include any of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth, id-kp-emailProtection, id-kp-codeSigning. | #* For their subCA certificate to be considered technically constrained according to item #9 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy,] the subCA certificate must have the Extended Key Usage (EKU) extension with the id-kp-clientAuth KeyPurposeId (and whatever else they need), and the EKU extension must '''not''' include any of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth, id-kp-emailProtection, id-kp-codeSigning. | ||
#** If the EKU extension includes id-kp-serverAuth, then (in order to be considered technically constrained) the subCA certificate must also include the Name Constraints extension as described in item #9 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy.] | #** If the EKU extension includes id-kp-serverAuth, then (in order to be considered technically constrained) the subCA certificate must also include the Name Constraints extension as described in item #9 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy.] | ||
#** If the EKU extension includes id-kp-emailProtection, then (in order to be considered technically constrained) technical and/or business controls need to be in place to ensure that the subCA only issues certs for email addresses that the CA has confirmed the subCA is authorized to use, as described in item #9 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy.] | #** If the EKU extension includes id-kp-emailProtection, then (in order to be considered technically constrained) technical and/or business controls need to be in place to ensure that the subCA only issues certs for email addresses that the CA has confirmed the subCA is authorized to use, as described in item #9 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy.] | ||
#** If the EKU extension includes id-kp-codeSigning, then (in order to be considered technically constrained) the SubCA certificate must also contain a directoryName permittedSubtrees constraint as described item #9 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy.] | #** If the EKU extension includes id-kp-codeSigning, then (in order to be considered technically constrained) the SubCA certificate must also contain a directoryName permittedSubtrees constraint as described item #9 of [http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy.] | ||