Our current Root Store policy assigns two different meanings to the term "technically constrained": * in sections 1.1 and 3.1, it means 'limited by EKU' * in section 5.3 it means 'limited by EKU and name constraints'
The BRs already define a "Technically Constrained Subordinate CA Certificate" as: A Subordinate CA certificate which uses a combination of Extended Key Usage > settings and Name Constraint settings to limit the scope within which the > Subordinate CA Certificate may issue Subscriber or additional Subordinate > CA Certificates. > I propose aligning Mozilla policy with this definition by leaving "technically constrained" in section 5.3, and changing "technically constrained" in sections 1.1 and 3.1 to "technically capable of issuing" (language we already use in section 3.1.2). Here are the proposed changes: https://github.com/mozilla/pkipolicy/commit/91fe7abdc5548b4d9a56f429e04975560163ce3c This is https://github.com/mozilla/pkipolicy/issues/159 I will appreciate everyone's comments on this proposal. In particular, please consider if the change from "Such technical constraints could consist of either:" to "Intermediate certificates that are not considered to be technically capable will contain either:" will cause confusion. - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy