All,
In response to the CA Communication, I have received the following question.
Question: Please clarify Action #5: Do you expect public disclosure of
all subordinate CA certificates, or just those issued to third parties?
Answer:
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
"8. ... The term "subordinate CA" below refers to any organization or
legal entity that is in possession or control of a certificate that is
capable of being used to issue new certificates. ...
9. We encourage CAs to technically constrain all subordinate CA
certificates. For a certificate to be considered technically
constrained, the certificate MUST include an Extended Key Usage (EKU)
extension specifying all extended key usages that the subordinate CA is
authorized to issue certificates for. ...
10. We recognize that technically constraining subordinate CA
certificates as described above may not be practical in some cases. All
certificates that are capable of being used to issue new certificates,
that are not technically constrained, and that directly or transitively
chain to a certificate included in Mozilla’s CA Certificate Program MUST
be audited in accordance with Mozilla’s CA Certificate Policy and MUST
be publicly disclosed by the CA that has their certificate included in
Mozilla’s CA Certificate Program. ..."
So, my interpretation of the policy is that it applies to all, both
internally-operated and externally-operated, sub CA certs.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy