I support this, as long as Policy CAs meet the same operations standards
and have the same issuance restrictions as root CAs. This would result in
no real change to policy, as I assume roots not directly included in the
Mozilla root store were already considered “roots” for this part of the
On Fri, Apr 26, 2019 at 5:39 PM Wayne Thayer wrote:
> This does not, however, address the last part of what Brian proposes -
>> which is examining if, how many, and which CAs would fail to meet these
>> encoding requirements today, either in their roots, subordinates, or leaf
>> certificates.
>>
On Fri, Apr 26, 2019 at 7:02 PM Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> In version 2.6 of our Root Store Policy, we added the requirement to
> section 5.3 that intermediate certificates contain an EKU and separate
> serverAuth and emailProtection
In the course of normal communications with AT, we came across an SSL
certificate that did not have the required AIA extension in it on Friday
April 16th. We had a conference call shortly thereafter and they verified
that one of their current EJBCA certificate profiles is missing this
4 matches
Mail list logo