As an alternative for this addition to MRSP section 5.3, please consider and comment on:
Thus, the operator of a CA certificate trusted in Mozilla’s CA Certificate Program MUST disclose in the CCADB all non-technically constrained CA certificates they issue that chain up to that CA certificate trusted in Mozilla’s CA Certificate Program. This applies to all non-technically constrained CA certificates, including those that are self-signed, doppelgänger, reissued, or cross-signed. On Thu, Nov 12, 2020 at 11:54 AM Ben Wilson <bwil...@mozilla.com> wrote: > Jakob, > > On Thu, Nov 12, 2020 at 10:39 AM Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> >> How would that phrasing cover doppelgangers of intermediary SubCAs under >> an included root CA? >> >> >> To clarify, the title of section 5.3 is "Intermediate Certificates". > Also, both subsection (1) and (2) under the proposed amendment reference > "intermediate certificates" - "(1) ...the Subject Distinguished Name in a > CA certificate or *intermediate certificate* that is in scope according > to section 1.1 of this Policy" and "(2)... corresponding Public Key is > encoded in the SubjectPublicKeyInfo of that CA certificate or *intermediate > certificate*." And finally, additional > language would try and make this clear by saying, "Thus, these > requirements also apply to so-called reissued/doppelganger CA certificates > (roots *and intermediates*) and to cross-certificates." > > I hope this answers your question. > > Sincerely, > > Ben > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
