On Monday, May 22, 2017 at 2:43:14 PM UTC-5, Peter Bowen wrote:
>
> I would say that any CA-certificate signed by a CA that does not have
> name constraints and not constrained to things outside the set
> {id-kp-serverAuth, id-kp-emailProtection, anyEKU} should be disclosed.
> This would mean that the top level of all constrained hierarchies is
> disclosed but subordinate CAs further down the tree and EE certs are
> not. I think that this is a reasonable trade off of privacy vs
> disclosure.
I would agree that those you've identified as "should be disclosed" definitely
should be disclosed. I am concerned, however, that SOME of the remaining
certificates beyond those should probably also be disclosed. For safety sake,
it may be better to start with an assumption that all CA and SubCA certificates
require full disclosure to CCADB and then define particular specific rule sets
for those which don't require that level.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
