On 22/11/16 20:16, j...@letsencrypt.org wrote: > organization. Issuance to .mil is not allowed due to contractual > obligations that are reflected in our Certification Practice > Statement.
I have just been investigating this issue, as documented in the bug Kathleen links to. Mozilla policy requires that certificates issued in contravention of a CA's CP/CPS should be revoked, which LE have done. Other than that, Mozilla policy does not directly require (somewhat to my surprise) that a CA operate in accordance with its CP and CPS. We require this indirectly because the audits that we require, require it. So: should Mozilla's policy directly require that CAs operate in accordance with the appropriate CP/CPS for the root(s) in our store? I can see both pros and cons to directly mandating this. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy