On Fri, May 22, 2015 3:11 pm, Eric Mill wrote: > On Fri, May 22, 2015 at 5:15 PM, Kathleen Wilson <kwil...@mozilla.com> > wrote: > > > On 4/7/15 5:31 PM, Richard Barnes wrote: > > > >> > >> 5. April 1, 2016 is the earliest date at which CNNIC may apply for full > > inclusion, so SSL certificates issued after Apr 1 2015 for new domains > > will > > be recognized. > > > > Do you mean "will *not* be recognized"?
Fair question. Either answer could work, although "will not be recognized" would be more work and more inconsistent, historically. That is, treat CNNIC as any other CA applicant, who may have spun up the CA some time in the past, issued any number of non-BR compliant certs (including subordinate CA certs), and then applies for inclusion, after having completed a BR PITRA. Nothing is said in the current policy for the population of existing certs - whether or not they comply either to the BRs or to the CA's existing policies. This is somewhat obliquely discussed at https://wiki.mozilla.org/CA:BaselineRequirements#A_CA.27s_First_BR_Audit when discussing a CA's first application, which is conceptually quite similar to a CA that was bounced and then reapplies. The last paragraph of that section is probably most relevant to future discussions of reapplication - determining how to handle this. I have thoughts on the matter, but at the risk of influencing the discussion too much, I'll hold off and give others a chance to read that section and noodle about the implications before I offer thoughts/concerns/suggestions _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
