On Mon, May 22, 2017 at 1:02 PM, Matthew Hardeman via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On Monday, May 22, 2017 at 2:43:14 PM UTC-5, Peter Bowen wrote: > >> >> I would say that any CA-certificate signed by a CA that does not have >> name constraints and not constrained to things outside the set >> {id-kp-serverAuth, id-kp-emailProtection, anyEKU} should be disclosed. >> This would mean that the top level of all constrained hierarchies is >> disclosed but subordinate CAs further down the tree and EE certs are >> not. I think that this is a reasonable trade off of privacy vs >> disclosure. > > I would agree that those you've identified as "should be disclosed" > definitely should be disclosed. I am concerned, however, that SOME of the > remaining certificates beyond those should probably also be disclosed. For > safety sake, it may be better to start with an assumption that all CA and > SubCA certificates require full disclosure to CCADB and then define > particular specific rule sets for those which don't require that level.
Right now the list excludes anything with a certain set of name constraints and anything that has EKU constraints outside the in-scope set. I'm suggesting that the first "layer" of CA certs always should be disclosed. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy