On Thu, Dec 3, 2015 at 10:31 AM, Kathleen Wilson <kwil...@mozilla.com> wrote: >> On 23/11/15 15:57, Peter Bowen wrote: >>> >>> I realize that Mozilla carved out allowance for not disclosing, but >>> the CA/Browser Forum did not adopt this, instead only exempting >>> technically constrained CAs from the audit requirement. Maybe this is >>> a place where the Mozilla policy can aligned with the BRs. >> >> > > > Are you referring to section 3.2.6 of the BRs? > ~~ > 3.2.6. Criteria for Interoperation or Certification > The CA SHALL disclose all Cross Certificates that identify the CA as the > Subject, provided that the CA arranged > for or accepted the establishment of the trust relationship (i.e. the Cross > Certificate at issue). > ~~ > > Or were you referring to something else? > > From BR Definitions: > Cross Certificate: A certificate that is used to establish a trust > relationship between two Root CAs. > Root CA: The top level Certification Authority whose Root Certificate is > distributed by Application Software > Suppliers and that issues Subordinate CA Certificates.
I was but forgot that the definition of cross certificate in the BRs is different from the X.509 definition. I was thinking of this definition: _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy