On 2017-04-12 16:15, Peter Bowen wrote:
On Wed, Apr 12, 2017 at 5:57 AM, Ryan Sleevi via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
A certificate hash does provide distinct value.
The certificate hash is what is desired. Yes, there could be multiple
certificates. But within the context of the scope of an audit and a
'logical' CA, the auditor can and should be clear about what physical
certificates corresponded to the logical operations of that CA.
What portions of the certificate(s) naming that CA as the subject will
impact the audit?
As I see it, the only certificates that are relevant to the audit are
those that have the CA as the issuer. It really doesn't matter who
cross-signs the CA.
Note that it's about each root and intermediate certificate. For the
intermediate's the issuer doesn't really matter, it's the subject you
care about.
I just noticed that the text also says certificate while I expected it
to say CA.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy