She's clarified in the discussion thread that it is all SubCAs chained to the a CAs root certificate that must be disclosed, regardless of who controls the private key.
Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Kurt Roeckx Sent: Wednesday, May 14, 2014 2:37 PM To: Kathleen Wilson Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Question about disclosing subCA certs On Wed, May 14, 2014 at 01:08:12PM -0700, Kathleen Wilson wrote: > All, > > In response to the CA Communication, I have received the following question. > > Question: Please clarify Action #5: Do you expect public disclosure of > all subordinate CA certificates, or just those issued to third parties? > > Answer: > http://www.mozilla.org/en-US/about/governance/policies/security-group/ > certs/policy/inclusion/ "8. ... The term "subordinate CA" below > refers to any organization or legal entity that is in possession or > control of a certificate that is capable of being used to issue new > certificates. ... > 9. We encourage CAs to technically constrain all subordinate CA > certificates. For a certificate to be considered technically > constrained, the certificate MUST include an Extended Key Usage (EKU) > extension specifying all extended key usages that the subordinate CA > is authorized to issue certificates for. ... > 10. We recognize that technically constraining subordinate CA > certificates as described above may not be practical in some cases. > All certificates that are capable of being used to issue new > certificates, that are not technically constrained, and that directly > or transitively chain to a certificate included in Mozilla's CA > Certificate Program MUST be audited in accordance with Mozilla's CA > Certificate Policy and MUST be publicly disclosed by the CA that has > their certificate included in Mozilla's CA Certificate Program. ..." > > So, my interpretation of the policy is that it applies to all, both > internally-operated and externally-operated, sub CA certs. I think what you're saying is all those CA certs for which they control the private key. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy