On 24/4/2019 10:18 π.μ., Matt Palmer via dev-security-policy wrote:
On Wed, Apr 24, 2019 at 09:13:31AM +0300, Dimitris Zacharopoulos via
dev-security-policy wrote:
I support this update but I am not sure if this is somehow linked with the
scope of the Mozilla Policy. Does this change mean that after April 1, 2020,
any Certificate that does not have an EKU is out of Mozilla Policy scope or
not?
Given that the change doesn't touch section 1.1, it's reasonable to believe
that the scope of the policy is not changing.
If this change intends to bring these types of certificates out of scope
after April 1, 2020, we must make this clear and probably also update
section 1.1.
My reading of the policy, as amended by this proposal, as well as my
understanding of past discussions in this group, is that certificates
without an EKU are in scope now, and they will continue to be in scope if
this amendment is adopted. The only change is that end-entity certificates
without an EKU will be considered misissued if the certificate's notBefore
is on or after April 1, 2020.
If you feel that the policy, as amended, does not make this state of affairs
clear, I'm sure Wayne would welcome suggestions for improvement.
I think your explanation clarifies the intent and the policy language
make sense. I wasn't 100% sure if the intent was to narrow the scope or
not.
Thanks,
Dimitris.
- Matt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
