Thanks for pointing this out Ryan and Dimitris. You are both correct: we should direct Taiwan GRCA to change their request from including the root to including only the subordinate CAs that comply with the Mozilla policy. The option of adding the non-compliant subordinate CAs to OneCRL does not meet our policy.
I will determine what additional information we need to change this inclusion request and will add it to bug 1065896. I then expect to place this request on hold until we receive the updated information. <https://bugzilla.mozilla.org/show_bug.cgi?id=1065896> - Wayne On Sun, Jan 28, 2018 at 10:53 PM, Dimitris Zacharopoulos <ji...@it.auth.gr> wrote: > > > On 26/1/2018 11:54 μμ, Ryan Sleevi via dev-security-policy wrote: > > Has any consideration been given to adopt a similar policy as discussed > with the Government of Korea application > -https://bugzilla.mozilla.org/show_bug.cgi?id=1226100#c38 > > > > Just to avoid any possible mis-reading of: > > "If you have intermediates for which you cannot disclose, whether it be for > personal, operational, or legal reasons, then an appropriate solution, > consistent with Mozilla CA Certificate Policy, is to use Technically > Constrained Subordinate CAs - as defined within the Baseline Requirements and > as reflected within the Mozilla policy. Such TCSCAs are technically limited > from the issuance of TLS certificates, and by doing so, are allowed to be > operated in a way that is not consistent with the Baseline Requirements nor > compliant with Mozilla Policy." > > > Currently, the Baseline Requirements (section 7.1.5) allow for TCSCAs to > issue TLS Certificates, by requiring the nameConstraints extension, > limiting the issuance to specific Domain Names and Organizations. These > TCSCAs MUST follow the Baseline Requirements, with the exceptions provided > for these types of TCSCAs. > > As far as the Mozilla Policy is concerned, if a TCSCAs is technically > capable of issuing a Certificate for TLS authentication or S/MIME, it MUST > comply with the Mozilla policy, with the exceptions provided for TCSCAs. > Section 1.1 of the Mozilla Policy is fairly clear on the scope of the > policy. If there are possibly more exceptions, it should probably be > updated to reflect these cases. > > > Dimitris. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy