In the Github document, which I'm using to track proposed language, I've added "This applies to all non-technically constrained CA certificates, including those that share the same key pair whether they are self-signed, doppelgänger, reissued, cross-signed, or other roots." https://github.com/BenWilson-Mozilla/pkipolicy/commit/5a3dd2e9d92ec689e08bf1cfa279121e2bb0478b .
On Sun, Jan 24, 2021 at 3:12 PM Ben Wilson <bwil...@mozilla.com> wrote: > As an alternative for this addition to MRSP section 5.3, please consider > and comment on: > > Thus, the operator of a CA certificate trusted in Mozilla’s CA Certificate > Program MUST disclose in the CCADB all non-technically constrained CA > certificates they issue that chain up to that CA certificate trusted in > Mozilla’s CA Certificate Program. This applies to all non-technically > constrained CA certificates, including those that are self-signed, > doppelgänger, reissued, or cross-signed. > > > On Thu, Nov 12, 2020 at 11:54 AM Ben Wilson <bwil...@mozilla.com> wrote: > >> Jakob, >> >> On Thu, Nov 12, 2020 at 10:39 AM Jakob Bohm via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> >>> How would that phrasing cover doppelgangers of intermediary SubCAs under >>> an included root CA? >>> >>> >>> To clarify, the title of section 5.3 is "Intermediate Certificates". >> Also, both subsection (1) and (2) under the proposed amendment reference >> "intermediate certificates" - "(1) ...the Subject Distinguished Name in a >> CA certificate or *intermediate certificate* that is in scope according >> to section 1.1 of this Policy" and "(2)... corresponding Public Key is >> encoded in the SubjectPublicKeyInfo of that CA certificate or *intermediate >> certificate*." And finally, additional >> language would try and make this clear by saying, "Thus, these >> requirements also apply to so-called reissued/doppelganger CA certificates >> (roots *and intermediates*) and to cross-certificates." >> >> I hope this answers your question. >> >> Sincerely, >> >> Ben >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
