On Fri, Jan 18, 2019 at 10:34 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > How does this match the policy that a name constrained intermediate (1st > intermediate) can be placed in the control of an organization that has > been validated as controlling all the names permitted by the > constraints? > > For example, if (1st intermediate) had name constrains allowing only > names under mozilla.org and mozilla.com, then I thought policy would > allow such a CA certificate and its private key to be operated unaudited > by (in this example) Mozilla. In particular Mozilla could issue (2nd > intermediate) which is neither audited not disclosed. > > 2nd intermediate would also need to be name constrained to comply with Mozilla policy. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
