What if the third party needs to review the certificate to see whether it meets expected profile requirements? In some cases the certificate subject must first "accept" the certificate.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On Behalf Of Jakob Bohm via dev-security-policy Sent: Monday, March 27, 2017 3:58 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Grace Period for Sub-CA Disclosure On 27/03/2017 23:41, Rob Stradling wrote: > On 27/03/17 22:37, Jakob Bohm via dev-security-policy wrote: > <snip> >> It should also be made a requirement that the issued SubCA >> certificate is provided to the CCADB and other root programs before >> providing it to the SubCA owner/operator, > > That'd be a bit difficult in the common case where the Sub-CA operator > and the Sub-CA certificate's issuer are the same entity! > Oops forgot to include "3rd party" in that sentence. This extra requirement would only apply to 3rd party SubCA signing, as well as to SubCA signing for a different part of the same organization. It should not apply where the new SubCA is located in the same place and receives the SubCA cert as part of the same high security signing ceremony. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy