The updated 2.6.1 version of the Mozilla Root Store policy resulting from
this discussion is now published:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
- Wayne
On Mon, Aug 6, 2018 at 3:28 PM Wayne Thayer wrote:
> Having received no comments on this prop
Having received no comments on this proposal, I plan to go ahead and
publish version 2.6.1 of the Mozilla Root Store Policy with the third
paragraph of section 5.3 clarified as follows:
Intermediate certificates created after January 1, 2019, with the exception
of cross-certificates that share a p
Kathleen pointed out that one of the purposes of this section is to require
disclosure of cross-certificates, and my first attempted fix seems to
violate that purpose. Here is my second attempt to clarify the language in
section 5.3:
https://github.com/mozilla/pkipolicy/commit/43bdf5d6e97cdda0d8b1
On Monday, July 16, 2018 at 7:25:09 PM UTC-4, Wayne Thayer wrote:
> On Fri, Jul 13, 2018 at 3:50 PM Tim Hollebeek via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Yeah, I agree I don’t think it was intended. But now that I am aware of
> > the issue, I think the cros
f
> Bruce via
> > dev-security-policy
> > Sent: Friday, July 13, 2018 10:17 AM
> > To: mozilla-dev-security-pol...@lists.mozilla.org
> > Subject: Re: Do We Now Require Separate Cross-certificates for SSL and
> > S/MIME?
> >
> > Agreed that old cross-certifi
ozilla.org] On Behalf Of Bruce via
> dev-security-policy
> Sent: Friday, July 13, 2018 10:17 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Do We Now Require Separate Cross-certificates for SSL and
> S/MIME?
>
> Agreed that old cross-certificates will no
--
> > From: dev-security-policy [mailto:dev-security-policy-
> > bounces+tim.hollebeek=digicert@lists.mozilla.org] On Behalf Of Bruce via
> > dev-security-policy
> > Sent: Thursday, July 12, 2018 10:28 AM
> > To: mozilla-dev-security-pol...@lists.mozilla.org
> > S
s+tim.hollebeek=digicert@lists.mozilla.org] On Behalf Of Bruce via
> dev-security-policy
> Sent: Thursday, July 12, 2018 10:28 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Do We Now Require Separate Cross-certificates for SSL and
> S/MIME?
>
> Note the BRs defin
Note the BRs define Cross Certificate as "a certificate that is used to
establish a trust relationship between two Root CAs."
I think the intent was to technically restrict subordinate CAs or rather CAs
which are online and issue end entity certificates. My assumption is that we
want to 1) not
During a 2.6 policy discussion [1], we agreed to add the following language
to section 5.3 "Intermediate Certificates":
> Intermediate certificates created after January 1, 2019:
>
>
> * MUST contain an EKU extension; and,
> * MUST NOT include the anyExtendedKeyUsage KeyPurposeId; and,
> * MUST NO
10 matches
Mail list logo
