I'm curious how folks feel about the following practice: Imagine a CA, "Foo", that creates a new Root Certificate ("Root 1"). They create this Root Certificate after the effective date of the Baseline Requirements, but prior to Root Programs consistently requiring compliance with the Baseline Requirements (i.e. between 2012 and 2014). This Root Certificate does not comply with the BRs' rules on Subject: namely, it omits the Country field.
Later, in 2019, Foo takes their existing Root Certificate ("Root 2"), included within Mozilla products, and cross-signs the Subject. This now creates a cross-signed certificate, "Root 1 signed-by Root 2", which has a Subject field that does not comport with the Baseline Requirements. To me, this seems like a clear-cut violation of the Baseline Requirements, and "Foo" could have pursued an alternative hierarchy to avoid needing to cross-sign. However, I thought it interesting to solicit others' feedback on this situation, before opening the CA incident for Foo. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy