EV treatment should not be given when end-entity cert is signed directly by the root cert

NEW
Unassigned

Status

()

enhancement
P3
normal
5 years ago
2 years ago

People

(Reporter: kwilson, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [psm-backlog])

Reporter

Description

5 years ago
The EV Guidelines (https://cabforum.org/extended-validation/) say:
"12 Certificate Issuance by a Root CA ...
Root CA Private Keys MUST NOT be used to sign EV Certificates."

Please programmatically enforce this.

I think we would need to do compatibility testing for this change, but I haven't seen many EV sites with SSL certs signed directly by the root.  
Here's one: https://valid.evident.ca13.ssl.buypass.no/

Comment 1

5 years ago
Although the EV Guidelines says that a root cannot be used to issue EV certificates, the Baseline Requirements allow a root to issue test certificates. I think that the EV requirement was to not allow certificates to be issued to customers directly from the root, but it was not intended to restrict test certificates.

All roots must have test certificates to be issued for the browsers and operating systems to test at the time of embedding. For a new root, it does not make sense to create an issuing CA, just to issue the test certificates. This increases risk and does not provide any value as the test certificates from the root would be sufficient to test that both SSL and EV SSL are working.

I would suggest that you allow the CAs to issue test certificates from their root similar to the example described above. If that was the case, then this bug would not be required. 

Thanks, Bruce.
Reporter

Comment 2

5 years ago
(In reply to Bruce Morton from comment #1)
> All roots must have test certificates to be issued for the browsers and
> operating systems to test at the time of embedding. 

Correct. But for Mozilla the root embedding and the enablement of EV treatment are two different things. The CA can apply for approval of both at once, but the code changes to make these happen are separate, and the EV enablement will only be done after the root has been embedded.

> For a new root, it does
> not make sense to create an issuing CA, just to issue the test certificates.
> This increases risk and does not provide any value as the test certificates
> from the root would be sufficient to test that both SSL and EV SSL are
> working.

OK. But Mozilla does not need to enable EV treatment for a root until it has been demonstrated that the CA hierarchy is indeed fully ready to issue EV certs, or is already issuing EV certs.

It is even better if the CA has set up a real site that can be used to do the EV test. Mozilla offers the option to provide a test website, but it should still mimic a real use case.
You need to log in before you can comment on or make changes to this bug.