On Mon, May 22, 2017 at 1:02 PM, Matthew Hardeman via
dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> On Monday, May 22, 2017 at 2:43:14 PM UTC-5, Peter Bowen wrote:
>
>>
>> I would say that any CA-certificate signed by a CA that does not have
>> name constraints and not constrained to things outside the set
>> {id-kp-serverAuth, id-kp-emailProtection, anyEKU} should be disclosed.
>> This would mean that the top level of all constrained hierarchies is
>> disclosed but subordinate CAs further down the tree and EE certs are
>> not. I think that this is a reasonable trade off of privacy vs
>> disclosure.
>
> I would agree that those you've identified as "should be disclosed"
> definitely should be disclosed. I am concerned, however, that SOME of the
> remaining certificates beyond those should probably also be disclosed. For
> safety sake, it may be better to start with an assumption that all CA and
> SubCA certificates require full disclosure to CCADB and then define
> particular specific rule sets for those which don't require that level.
Right now the list excludes anything with a certain set of name
constraints and anything that has EKU constraints outside the in-scope
set. I'm suggesting that the first "layer" of CA certs always should
be disclosed.
Thanks,
Peter
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
