All, We have removed the section of this Mozilla CA wiki page that referred to the concept of “non-disclosable intermediate certificates”: https://wiki.mozilla.org/CA/Subordinate_CA_Checklist.
Specifically, the language suggesting that certain subordinate CA certificates might be exempt from disclosure has been deleted, as that concept no longer serves any useful purpose and does not reflect current policy or practice. The diff showing the removed content is located here: https://wiki.mozilla.org/index.php?title=CA/Subordinate_CA_Checklist&diff=1256370&oldid=1256352 The CCADB Policy provides no exception for the non-disclosure of intermediates. It requires disclosure of all subordinate CA certificates capable of validating to a certificate included in a Root Store or associated with a CCADB Root Inclusion Request. CA operators participating in Mozilla’s Root Program are already required to adhere to the CCADB Policy, so there should be no cases in practice where a “non-disclosable” intermediate exists. Removing this section from the wiki page also helps avoid situations where a CA operator might mistakenly conclude that an intermediate certificate need not be disclosed based on its own internal assessment of constraints or intended use. Disclosure requirements apply regardless of how constrained a subordinate CA certificate is believed to be, and clarity here helps reduce the risk of inadvertent non-disclosure. Thanks, Ben Wilson Mozilla CA Program -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaa41813QBJ%2BzFVoFJRtFeFkeC_rQ9-fb2N_aex_dxVHw%40mail.gmail.com.
