Right, but can you call these SSL certs without an FQDN?
* Insofar as the Baseline Requirements attempt to define their own scope, the scope of this policy (section 1.1) overrides that. Mozilla thus requires CA operations relating to issuance of all SSL certificates in the scope of this policy to conform to the Baseline Requirements. Is SSL certificate defined? On Aug 18, 2017, at 7:33 AM, Gervase Markham <g...@mozilla.org<mailto:g...@mozilla.org>> wrote: On 17/08/17 20:31, Jeremy Rowley wrote: Without an FQDN, I doubt they are in scope for the baseline requirements. Not according to the BRs themselves. However, the Mozilla Policy 2.5 specifically says: "Insofar as the Baseline Requirements attempt to define their own scope, the scope of this policy (section 1.1) overrides that. Mozilla thus requires CA operations relating to issuance of all SSL certificates in the scope of this policy to conform to the Baseline Requirements." Now, whether we are right to include anyEKU in scope, given that it pulls in certs such as those in question, is still something I am unsure about :-) But the current policy says what it says. They are in scope for the Mozilla policy. The BRs require the cert to be intended for web tls. These are not. But the Mozilla Policy re-scopes the BRs to remove the ambiguous language about "intent". The Mozilla policy covers client certs as well as tls. Er, no it doesn't (except insofar as we make anyEKU in scope)? Our policy covers server certs and email certs. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy