Isn't this ballot ready to go? If we start the review period now, it'll be passed by the time the Mozilla policy is updated.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Peter Bowen via dev-security-policy Sent: Monday, July 3, 2017 10:30 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: SRVNames in name constraints In reviewing the Mozilla CA policy, I noticed one bug that is probably my fault. It says: "name constraints which do not allow Subject Alternative Names (SANs) of any of the following types: dNSName, iPAddress, SRVName, rfc822Name" SRVName is not yet allowed by the CA/Browser Forum Baseline Requirements (BRs), so I highly doubt any CA has issued a cross-certificate containing constraints on SRVName-type names. Until the Forum allows such issuance, I think this requirement should be changed to remove SRVName from the list. If the Forum does allow such in the future, adding this back can be revisited at such time. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy