Let us consider the case that the CA unsets the critical flag unintendedly, e.g. using the default configuration. Which means there are no explizit reasons. Is it required that the CA to create an incident report to mozilla?
On Tue, 9 Apr 2019, 19:14 Ryan Sleevi <r...@sleevi.com> wrote: > > > On Tue, Apr 9, 2019 at 10:39 AM Lijun Liao <lijun.l...@gmail.com> wrote: > >> Just makes it clear: The extension KeyUsage is optional in subscriber's >> certificate. But what happens if it is present and is NOT critical? >> > > RFC 5280 says SHOULD, not MUST. RFC 2119 defines SHOULD as: > > 3. SHOULD This word, or the adjective "RECOMMENDED", mean that there > may exist valid reasons in particular circumstances to ignore a > particular item, but the full implications must be understood and > carefully weighed before choosing a different course > > I think, in such an event, a CA may be reasonably asked to provide details > about what the valid reasons of the particular circumstances were to > deviate from that SHOULD, and how the full implications were understood and > weighed. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
