On Monday, May 22, 2017 at 2:43:14 PM UTC-5, Peter Bowen wrote: > > I would say that any CA-certificate signed by a CA that does not have > name constraints and not constrained to things outside the set > {id-kp-serverAuth, id-kp-emailProtection, anyEKU} should be disclosed. > This would mean that the top level of all constrained hierarchies is > disclosed but subordinate CAs further down the tree and EE certs are > not. I think that this is a reasonable trade off of privacy vs > disclosure.
I would agree that those you've identified as "should be disclosed" definitely should be disclosed. I am concerned, however, that SOME of the remaining certificates beyond those should probably also be disclosed. For safety sake, it may be better to start with an assumption that all CA and SubCA certificates require full disclosure to CCADB and then define particular specific rule sets for those which don't require that level. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy