El martes, 5 de febrero de 2019, 17:03:50 (UTC+1), Ryan Sleevi escribió: > > Note that the topic of whether or not subscriber EKUs was significantly > discussed in the past, and is why the policy is/tries to be very clear that > it applies to anything technically capable of SSL/TLS issuance, and not > merely leaf certificates. Considering the impact that a compromised CA can > have - for example, being able to issue arbitrary certificates - it's > hopefully clear why this is a necessary condition. Further, given that > subordinate certificates need to comply with the parent CA's policies, it > naturally results in what I described; where if you want divergent > policies, you need to separate out the hierarchies meaningfully and > technically.
Thanks, Ryan, for the clarification. I don't have clear view on all the past discussions, but I presumed this is not a new topic. I mostly agree with you, but I think that there are other mechanisms than separating policies at a Root level (e.g. using intermediate Policy CAs, or just Policy Qualifiers)... Specially for practices like the suspension, which are easily controlled from different angles. Nevertheless, as I said, best thing is to have clear and written rules. Kind regards. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy