Specifically, https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003mogw7
On Tue, Jan 16, 2018 at 6:06 PM, Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > What about the Mozilla CA communication that said that CAs had until 15 > April 2018? > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On > Behalf Of Rob Stradling via dev-security-policy > Sent: Tuesday, January 16, 2018 2:29 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: CCADB disclosure of id-kp-emailProtection intermediates > > [Kathleen, Gerv, Wayne: Please correct me if this post misrepresents > Mozilla's policy and/or current expectations. Thanks!] > > Mozilla Root Store Policy v2.5 section 5.3.1 [1] permitted the > non-disclosure (and, IINM, non-audit) of certain > non-technically-constrained > id-kp-emailProtection intermediate certificates...until yesterday: > "Instead of complying with the above paragraph, intermediate certificates > issued before 22nd June 2017 may, until 15th January 2018..." > > According to [2], there are currently 223 non-technically-constrained > intermediate certificates known to crt.sh that chain to an NSS built-in > root > (that has the Email trust bit set) and are capable of issuing > id-kp-emailProtection certificates but not id-kp-serverAuthentication > certificates. > > IIUC, the Mozilla policy now requires these intermediate certificates to > have already been disclosed to the CCADB and to be audited. > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy