It seems to me that requiring the registration of these subordinate CAs bloats the Salesforce database unnecessarily.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On Behalf Of Rob Stradling Sent: Wednesday, June 22, 2016 4:00 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Intermediate certificate disclosure deadline in 2 weeks On 21/06/16 17:56, Nick Lamb wrote: > On Tuesday, 21 June 2016 17:10:43 UTC+1, Peter Bowen wrote: >> If all paths from a trusted root to a given intermediate are revoked >> or expired, then I don't think it "directly or transitively chain[s] >> to a certificate included in Mozilla’s CA Certificate Program". It >> would be no different than a private CA which isn't part of the >> WebPKI graph. > > It is actually different, but whether each case is different in an > _important_ way is a matter for Mozilla to decide. <snip> +1 If certificate A's signature can be verified by certificate B's public key, and if certificate B has basicConstraints.CA=TRUE, then certificate B chains to certificate A. Revocation, expiration, name constraints, EKU "constraints", etc, may affect whether or not that chain of certificates is trusted by Mozilla's software, but these things do not cause that chain of certificates to cease to be a chain a certificates. Kathleen's "CAs should not add records for:" list [1] includes expired intermediates but does not include all-paths-revoked intermediates. [1] https://wiki.mozilla.org/CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
