On Mon, Dec 14, 2015 at 5:39 PM, Kathleen Wilson <kwil...@mozilla.com> wrote: > > Another thing to consider in updating the policy is in regards to test > certificates versus certificates issued to customers. > e.g. Does the disclosure need to happen before test certificates are issued? > Or does the disclosure just need to happen before non-test certificates are > issued? (or certificates are issued to customers, or such)
Kathleen, There is no definition of "test certificate" so carving out a specific exception for test certificates seems unworkable. That being said, it would seem reasonable that one should be able to generate a keypair for a new CA, cut a cross-certificate from an existing CA, and issue the first certificate(s) in one ceremony. I don't think it is reasonable to require a waiting period between key generation and certificate issuance. Therefore, I would revise my earlier recommendation, and suggest placing a timeliness requirement on disclosure -- publicly disclose within X days of first issuance. If there is a strong interest in pre-disclosure, then maybe allowing disclosure of the planned Distinguished Name of the CA and applicable documents would be appropriate with a supplementary disclosure of the public key after generation. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy