On Monday, July 16, 2018 at 7:25:09 PM UTC-4, Wayne Thayer wrote: > On Fri, Jul 13, 2018 at 3:50 PM Tim Hollebeek via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Yeah, I agree I don’t think it was intended. But now that I am aware of > > the issue, I think the crossing workaround per EKU is actually a good thing > > for people to be doing. Unless someone can point out why it's bad ... > > > > > > > I'd like to consider any new restrictions on cross-certificates separately. > I've created https://github.com/mozilla/pkipolicy/issues/145 to track this > idea, and added that if we go that far we should also think about > restricting roots to either the Mozilla websites or email trust bit. > > Might want to give people a little more time to plan and adapt to that > > change though since I doubt anyone thought of it and people need planning > > runway to change their procedures if it is going to be interpreted this way. > > > > > > > It seems that we have agreement that the current change was not intended to > apply to cross certificates. I think that is the meaning of the existing > language, but it would be clearer if the final paragraph of section 5.3 was > amended to: > > These requirements include all intermediate certificates signed by > cross-certificates which chain to a certificate that is included in > Mozilla’s CA Certificate Program. > > Questions: > - does anyone object to that new wording? > - should the official policy be updated with this change prior to 1-Jan > when the requirement to separate usages of new intermediate certificates > goes into effect, or can this wait since it is only a clarification?
Since this is only a clarification, then I think the change can wait until the next update of the Mozilla policy. Thanks, Bruce. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy