New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require EV audits for certificates capable of issuing EV certificates #147
Comments
We need to clarify this policy -- EV-capable intermediate certs must be specifically listed in an EV audit. |
The above-referenced sections need to be revised. Additionally, section 3.1 could be modified by adding a sentence, "Furthermore, EV audits must include all intermediate certificates that contain an EV policy OID or the anyPolicy OID." |
3aaa691 is where the "(if issuing EV certificates)" phrase crept in. The commit message is "Update policies allowed/required for ETSI audits. Fixes #81", which I think implies that Gerv did not intend this commit to change anything regarding Mozilla's requirements for WebTrust audits. The previous phrase in the policy, as you'll see from that commit, was "if applying for EV recognition". EV-capable intermediate certs do not apply for EV recognition. Rather, a CA applies for EV recognition for one or more of its root certificates. Therefore, ISTM that "if issuing EV certificates" is NOT and was never intended to be interpreted separately for each intermediate certificate. Rather, "if issuing EV certificates" is intended to be either (i) applied to the CA organization as a whole, or (ii) interpreted separately for each of the CA's roots. The upshot of this is that, as @WilsonKathleen wrote, "EV-capable intermediate certs must be specifically listed in an EV audit". So I agree with Kathleen that what's being discussed here is Clarifying the policy, not Changing it. I wanted to labour this point for two reasons:
|
Thanks, Rob @robstradling I appreciate your help in clarifying the issue for us. |
Ben: I agree with Rob here, namely:
|
@BenWilson-Mozilla No, actual issuance is not considered. https://crt.sh/mozilla-disclosures#disclosureincomplete lists all of the intermediates that have a capability but do not have an associated audit, according to the CCADB. In each case, the details of which audit(s) are missing are shown in the smallprint.
Perhaps EV-capable intermediates that aren't actually used for issuing EV certs are rare? Or perhaps most EV-capable CA organizations correctly understand Mozilla's intended requirement (and therefore have obtained EV audits for all of their EV-capable intermediates, regardless of which of these intermediates actually issue EV certs)? BTW, this feature, along with https://crt.sh/mozilla-disclosures#disclosedwithinconsistentaudit and https://crt.sh/mozilla-disclosures#disclosedwithinconsistentcps, was discussed on m.d.s.p previously... 24th July 2019, I wrote (https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg12256.html)...
...and Wayne replied (https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg12259.html)...
I think it would be useful to add your phrasing (or something along those lines) to the policy for the purposes of clarification, given that at least 1 CA organization has not correctly understood Mozilla's intended requirement.
I think that correctly framing the discussion as being about Clarifying policy rather than Changing policy is important for a couple of reasons:
|
Thanks! This really helps improve my understanding. |
Capability is what matters. The policy should be clarified. |
This is meant to address Issue 147 - mozilla#147
Fixed hyperlink to "capable of issuing EV certficates.
Sections 3.1.2.1 and 3.1.2.2 state that EV audits are required "if issuing EV certificates". This literally means that CAs with EV enabled roots can opt specific intermediates out of EV audit scope by declaring that they don't issue EV certs. Is this what we want? Or should the policy align to capabilities - i.e. any intermediate with serverAuth, anyPolicy, or no EKU signed by an EV-enabled root must be included in the scope of the CA's EV audit?
The text was updated successfully, but these errors were encountered: