We need to clarify this policy -- EV-capable intermediate certs must be specifically listed in an EV audit.

The above-referenced sections need to be revised. Additionally, section 3.1 could be modified by adding a sentence, "Furthermore, EV audits must include all intermediate certificates that contain an EV policy OID or the anyPolicy OID."

3aaa691 is where the "(if issuing EV certificates)" phrase crept in. The commit message is "Update policies allowed/required for ETSI audits. Fixes #81", which I think implies that Gerv did not intend this commit to change anything regarding Mozilla's requirements for WebTrust audits.

The previous phrase in the policy, as you'll see from that commit, was "if applying for EV recognition". EV-capable intermediate certs do not apply for EV recognition. Rather, a CA applies for EV recognition for one or more of its root certificates.

Therefore, ISTM that "if issuing EV certificates" is NOT and was never intended to be interpreted separately for each intermediate certificate. Rather, "if issuing EV certificates" is intended to be either (i) applied to the CA organization as a whole, or (ii) interpreted separately for each of the CA's roots. The upshot of this is that, as @WilsonKathleen wrote, "EV-capable intermediate certs must be specifically listed in an EV audit".

So I agree with Kathleen that what's being discussed here is Clarifying the policy, not Changing it.

I wanted to labour this point for two reasons:

1. https://crt.sh/mozilla-disclosures#disclosureincomplete has reflected the intended policy for quite some time, so I don't intend to change its behaviour.
2. At least one CA believes (erroneously, in my view) that this is a discussion about Changing the policy: see https://bugzilla.mozilla.org/show_bug.cgi?id=1650910 comments 21 and 22.

Thanks, Rob @robstradling I appreciate your help in clarifying the issue for us.
I'm still trying to figure out you position here. Also, thanks in advance for considering a few more questions I have here. (I have a lot more questions, which I'm not asking here, even though I'm trying to learn more about this issue. When I used to work directly with auditors, I would scope the WebTrust EV audit engagement based only on those issuing CAs that did or would be issuing EV certificates, but maybe I had it wrong.)
Does https://crt.sh/mozilla-disclosures#disclosureincomplete only list CAs that have actually issued EV certificates? (I'm surprised that it lists only 10 issuing CAs where the lack of an EV audit is an issue.)
Are you suggesting this issue be closed? Or do you think that we will see my phrasing of a resolution of this issue eventually (some day) in the policy?
When you agree with Kathleen about clarifying the policy, what did you have in mind?
Thanks again, Ben

Ben: I agree with Rob here, namely:

• The intent of the policy (and previous versions) was to ensure the EV root, and its subordinates, were in scope
• An ambiguity was introduced in an update, which has lead to confusion, which this bug should clarify
• Your past interpretation was the problematic one to be addressed :)

Does https://crt.sh/mozilla-disclosures#disclosureincomplete only list CAs that have actually issued EV certificates?

@BenWilson-Mozilla No, actual issuance is not considered. https://crt.sh/mozilla-disclosures#disclosureincomplete lists all of the intermediates that have a capability but do not have an associated audit, according to the CCADB. In each case, the details of which audit(s) are missing are shown in the smallprint.

(I'm surprised that it lists only 10 issuing CAs where the lack of an EV audit is an issue.)

Perhaps EV-capable intermediates that aren't actually used for issuing EV certs are rare? Or perhaps most EV-capable CA organizations correctly understand Mozilla's intended requirement (and therefore have obtained EV audits for all of their EV-capable intermediates, regardless of which of these intermediates actually issue EV certs)?

BTW, this feature, along with https://crt.sh/mozilla-disclosures#disclosedwithinconsistentaudit and https://crt.sh/mozilla-disclosures#disclosedwithinconsistentcps, was discussed on m.d.s.p previously...

24th July 2019, I wrote (https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg12256.html)...

...I've also made the checks for the "Disclosure Incomplete" bucket 
stricter.  Missing/incomplete disclosures of BR and/or EV audits are now 
flagged.

...and Wayne replied (https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg12259.html)...

Thank you Rob! These are excellent additions to this report.

I'd like to ask all the CA representatives on this list to take a look at
the updated report (https://crt.sh/mozilla-disclosures) and correct any
issues with your company's disclosures as soon as possible.

Are you suggesting this issue be closed? Or do you think that we will see my phrasing of a resolution of this issue eventually (some day) in the policy?

I think it would be useful to add your phrasing (or something along those lines) to the policy for the purposes of clarification, given that at least 1 CA organization has not correctly understood Mozilla's intended requirement.

When you agree with Kathleen about clarifying the policy, what did you have in mind?

I think that correctly framing the discussion as being about Clarifying policy rather than Changing policy is important for a couple of reasons:

1. Presumably this issue will be discussed on m.d.s.p soon. Imagine if, during the course of that discussion, somebody was to say "I think we should continue to require EV audits only for intermediate CAs that actually issue EV certs". Such a comment would misunderstand both the current policy and the purpose of the discussion.
2. If this was a discussion about Changing policy, then I think there would be a strong argument for giving the CAs whose intermediates are flagged by https://crt.sh/mozilla-disclosures#disclosureincomplete a pass, as long as they do get the appropriate additional audits next time around. But since this is about Clarifying policy, then (I think) there's a stronger argument for treating each of the missing audits flagged by https://crt.sh/mozilla-disclosures#disclosureincomplete as an Incident.

Thanks! This really helps improve my understanding.

Capability is what matters. The policy should be clarified.