Clarify that CAs can generate their own keys

[timfromdigicert]

This one has come up a few times in the Validation Subcommittee of the CA/Browser Forum, and came up again in a side discussion today.

Mozilla policy currently contains the following:

"CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage."

This can be read as prohibiting key generation for certificates that CAs issue to themselves, which I don't believe was the intent.

I think it's pretty simple to fix ... for example:

"CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage, unless the certificate is being issued to the CA itself."

There are probably lots of other ways to fix it. Also, using CA organization here would be a slight improvement over the bare term "CA", which is somewhat ambiguous.

[techliaison]

What about calling them subscriber certificates vs end-entity? From: Tim Hollebeek ***@***.***> Sent: Wednesday, February 23, 2022 12:22 PM To: mozilla/pkipolicy ***@***.***> Cc: Subscribed ***@***.***> Subject: [mozilla/pkipolicy] Clarify that Subscribers can always generate their own keys, even if they are a CA (Issue #238) This one has come up a few times in the Validation Subcommittee of the CA/Browser Forum, and came up again in a side discussion today. Mozilla policy currently contains the following: "CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage." This can be read as prohibiting key generation for certificates that CAs issue to themselves, which I don't believe was the intent. I think it's pretty simple to fix ... for example: "CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage, unless the certificate is being issued to the CA itself." There are probably lots of other ways to fix it. Also, using CA organization here would be a slight improvement over the bare term "CA", which is somewhat ambiguous. - Reply to this email directly, view it on GitHub<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F238&data=04%7C01%7Cwendy.brown%40protiviti.com%7C10349abe235b40a6b8a408d9f6f0f45a%7C16532572d5674d678727f12f7bb6aed3%7C0%7C0%7C637812337029093252%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=QzFFJwyY8N3w9al13DFcDQVrVZkIlFAfpsyBoOwVEDg%3D&reserved=0>, or unsubscribe<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAENXKO7BQ32RFLFA3Q36VZLU4UJSHANCNFSM5PE76T7Q&data=04%7C01%7Cwendy.brown%40protiviti.com%7C10349abe235b40a6b8a408d9f6f0f45a%7C16532572d5674d678727f12f7bb6aed3%7C0%7C0%7C637812337029093252%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=iOBIMQSTN%2FgBzbvbsiHy%2BtAsjvE8aCfpqGHq3YlhijU%3D&reserved=0>. Triage notifications on the go with GitHub Mobile for iOS<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7Cwendy.brown%40protiviti.com%7C10349abe235b40a6b8a408d9f6f0f45a%7C16532572d5674d678727f12f7bb6aed3%7C0%7C0%7C637812337029093252%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=HUbCTwVw5dpbxoU8cEKi8gGYsPACcWqLJh6THGgaSxA%3D&reserved=0> or Android<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7Cwendy.brown%40protiviti.com%7C10349abe235b40a6b8a408d9f6f0f45a%7C16532572d5674d678727f12f7bb6aed3%7C0%7C0%7C637812337029093252%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=LOroUZ5rCxPch5sYvyrgc180QeWOFd%2FGxJTZ0zbTJT8%3D&reserved=0>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.******@***.***>> NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.

[timfromdigicert]

The reason I didn't use the term "end entity certificate" is that this happens at a point in time where there is no certificate yet. In fact, I probably should have said Applicant instead of Subscriber. Fixed.

[BenWilson-Mozilla]

Resolved in version 2.8