On Wed, Dec 12, 2018 at 9:13 AM Sándor dr. Szőke via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > Thank you for the detailed answer, I think that the requirement is clear > for us now. > > The misunderstanding was caused by the different usage of the term 'Test > Certificate'. > > The 'Test Certificate' in the BR means a certificate, which is used for > domain validation according to the 3.2.2.4.9. This case it is fully > understandable to limit the validity of the test certificate because it is > in line with other validation methods. > > Correct. Microsec doesn't use this validation method and never issues this type of > test certificates. > > The test certificate in our practice means a certificate which is issued > in a TEST CA which is not included in the CCADB. These test certificates > are typically requested by software developers to develop their software > products which will work with X509 certificates. > > I think that these type of test certificates are out of the scope of the > BR. > > This is generally correct. Section 1.1 limits the scope of the BRs to "Certificates that are trusted by virtue of the fact that their corresponding Root Certificate is distributed in widely-available application software." Mozilla policy section 7.1 states the following: Before being included, CAs MUST provide evidence that their CA certificates have continually, from the time of creation, complied with the then-current Mozilla Root Store Policy and Baseline Requirements. This means that "test" certificates chaining to a root that will in the future be submitted for inclusion in the Mozilla program must comply with the BRs, even if the root is not in CCADB or Mozilla's program when the "test" certificates are issued. In other words, the "test" certificates that you are describing must be signed by a CA certificate and chain to a root that exist solely for the purpose of issuing "test" certificates. > > Is it correct? > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
