On 28/03/2017 00:16, Ben Wilson wrote:
What if the third party needs to review the certificate to see whether it
meets expected profile requirements? In some cases the certificate subject
must first "accept" the certificate.
-----Original Message-----
From: dev-security-policy
[mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On
Behalf Of Jakob Bohm via dev-security-policy
Sent: Monday, March 27, 2017 3:58 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Grace Period for Sub-CA Disclosure
On 27/03/2017 23:41, Rob Stradling wrote:
On 27/03/17 22:37, Jakob Bohm via dev-security-policy wrote:
<snip>
It should also be made a requirement that the issued SubCA
certificate is provided to the CCADB and other root programs before
providing it to the SubCA owner/operator,
That'd be a bit difficult in the common case where the Sub-CA operator
and the Sub-CA certificate's issuer are the same entity!
Oops forgot to include "3rd party" in that sentence. This extra requirement
would only apply to 3rd party SubCA signing, as well as to SubCA signing for
a different part of the same organization.
It should not apply where the new SubCA is located in the same place and
receives the SubCA cert as part of the same high security signing ceremony.
Even if the subject rejects a provided certificate, the subject can
still use it (subject to revocation checking).
Thus for browsers that have replaced actual revocation checking by
things like OneCRL, disclosure of such a rejected SubCA certificate is
still required.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
