Hi Kathleen,
The policy group responsible for control of our certificates and keys have a question for you concerning the disclosure requirements. We have a number of CAs in 'CRL/OCSP only' mode where certificate issuance has been programmatically suspended. In many cases the Subordinate CAs and their associated keys will be decommissioned - once all certificates chained to them have expired. It is also the same for some of the Subordinate CAs where keys are held by our customers. Whilst many have successfully transitioned to Technical Constraints this have been through a parallel/new CA and therefore the old CA again remains in CRL only mode until all certificates have expired. Are you expecting/requesting disclosure of 'all' certificates (past present and indeed in the future) or only for each CA to maintain a list of 'current' live suburbanite CAs actively issuing? Thanks for some clarification on this point so I can go back to the team Steve
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
