On Tue, Feb 9, 2021 at 9:22 PM Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Mon, 8 Feb 2021 13:40:05 -0500
> Andrew Ayer via dev-security-policy
> wrote:
>
> > The BRs permit CAs to bypass CAA checking for a domain if "the CA or
> > an Affiliate of the
On Wed, Feb 10, 2021 at 02:21:53AM +, Nick Lamb via dev-security-policy
wrote:
> On Mon, 8 Feb 2021 13:40:05 -0500
> Andrew Ayer via dev-security-policy
> wrote:
>
> > The BRs permit CAs to bypass CAA checking for a domain if "the CA or
> > an Affiliate of the CA is the DNS Operator (as
In the Github document, which I'm using to track proposed language, I've
added "This applies to all non-technically constrained CA certificates,
including those that share the same key pair whether they are self-signed,
doppelgänger, reissued, cross-signed, or other roots."
I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1692094 to turn off
the Websites trust bit for the 2008 root certs, and to set the "Distrust
for S/MIME After Date" for the older root certs.
Thanks,
Kathleen
___
dev-security-policy mailing list
4 matches
Mail list logo
