On Wed, Jun 21, 2017 at 7:15 AM, Gervase Markham via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On 21/06/17 13:13, Doug Beattie wrote: >>> Do they have audits of any sort? >> >> There had not been any audit requirements for EKU technically >> constrained CAs, so no, there are no audits. > > In your view, having an EKU limiting the intermediate to just SSL or to > just email makes it a technically constrained CA, and therefore not > subject to audit under any root program? > > I ask because Microsoft's policy at http://aka.ms/auditreqs says: > > "Microsoft requires that every CA submit evidence of a Qualifying Audit > on an annual basis for the CA and any non-limited root within its PKI > chain." > > In your view, are these two intermediates, which are constrained only by > having the email and client auth EKUs, "limited" or "non-limited"?
What is probably not obvious is that there is a very specific definition of non-limited with respect to the Microsoft policy. The definition is unfortunately contained in the contract, which is confidential, but the definition makes it clear that these CAs are out of scope for audits. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
