On 5/22/15 4:24 PM, Ryan Sleevi wrote:
Nothing is said in the current policy for the population of existing certs
- whether or not they comply either to the BRs or to the CA's existing
policies.
This is somewhat obliquely discussed at
https://wiki.mozilla.org/CA:BaselineRequirements#A_CA.27s_First_BR_Audit
when discussing a CA's first application, which is conceptually quite
similar to a CA that was bounced and then reapplies. The last paragraph of
that section is probably most relevant to future discussions of
reapplication - determining how to handle this.
So this does not get overlooked...
https://wiki.mozilla.org/CA:BaselineRequirements#A_CA.27s_First_BR_Audit
"In the situation where a root certificate is in production and has
issued certificates to customers before the CA knew about the BRs, an
untold number of the previously issued certificates might not conform to
the BRs. This could be serious, depending on which BRs the CA did not
previously comply with, the number of BRs the CA did not previously
comply with, and the quantity of such certificates issued. Depending on
the situation, the CA may be asked to create a new root certificate for
inclusion. Therefore, the CA and/or auditor shall provide a list of the
BRs that the previously issued certificates did not comply with."
Granted, CNNIC did know about the BRs (and were audited according to the
BRs) before their mis-issuance.
But this raises the question of whether their re-application can be for
the same (currently-included) root certificates, or if it has to be for
a new root certificate. In other words, should we consider taking the
stance that we will require a new root certificate for their
re-application? (i.e. the restrictions would remain in place for the
currently-included roots.)
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy