On 26/1/2018 11:54 μμ, Ryan Sleevi via dev-security-policy wrote: > Has any consideration been given to adopt a similar policy as discussed > with the Government of Korea application - > https://bugzilla.mozilla.org/show_bug.cgi?id=1226100#c38
Just to avoid any possible mis-reading of: "If you have intermediates for which you cannot disclose, whether it be for personal, operational, or legal reasons, then an appropriate solution, consistent with Mozilla CA Certificate Policy, is to use Technically Constrained Subordinate CAs - as defined within the Baseline Requirements and as reflected within the Mozilla policy. Such TCSCAs are technically limited from the issuance of TLS certificates, and by doing so, are allowed to be operated in a way that is not consistent with the Baseline Requirements nor compliant with Mozilla Policy." Currently, the Baseline Requirements (section 7.1.5) allow for TCSCAs to issue TLS Certificates, by requiring the nameConstraints extension, limiting the issuance to specific Domain Names and Organizations. These TCSCAs MUST follow the Baseline Requirements, with the exceptions provided for these types of TCSCAs. As far as the Mozilla Policy is concerned, if a TCSCAs is technically capable of issuing a Certificate for TLS authentication or S/MIME, it MUST comply with the Mozilla policy, with the exceptions provided for TCSCAs. Section 1.1 of the Mozilla Policy is fairly clear on the scope of the policy. If there are possibly more exceptions, it should probably be updated to reflect these cases. Dimitris. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy