On 12/3/15 11:04 AM, Peter Bowen wrote:
On Thu, Dec 3, 2015 at 10:31 AM, Kathleen Wilson <kwil...@mozilla.com> wrote:
On 23/11/15 15:57, Peter Bowen wrote:
I realize that Mozilla carved out allowance for not disclosing, but
the CA/Browser Forum did not adopt this, instead only exempting
technically constrained CAs from the audit requirement. Maybe this is
a place where the Mozilla policy can aligned with the BRs.
Are you referring to section 3.2.6 of the BRs?
~~
3.2.6. Criteria for Interoperation or Certification
The CA SHALL disclose all Cross Certificates that identify the CA as the
Subject, provided that the CA arranged
for or accepted the establishment of the trust relationship (i.e. the Cross
Certificate at issue).
~~
Or were you referring to something else?
From BR Definitions:
Cross Certificate: A certificate that is used to establish a trust
relationship between two Root CAs.
Root CA: The top level Certification Authority whose Root Certificate is
distributed by Application Software
Suppliers and that issues Subordinate CA Certificates.
I was but forgot that the definition of cross certificate in the BRs
is different from the X.509 definition.
So, the BRs do not mention disclosure of any intermediate certificates
other than cross-signing relationships between root certs included in
the major root stores. So, on this particular topic we do not want to
align Mozilla policy with the BRs. Correct?
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
