On Wed, Aug 20, 2014 at 1:55 PM, <[email protected]> wrote: > I've encountered a wildcard end-entity certificate on a live server that > chains directly to the root cert. There is no intermediate certificate and > the root is in the Mozilla trust store. > > I assume this is a frowned upon practice that will be stopped as the BRs are > adopted and such certs expire naturally. There is no reason for such certs > to be reissued indefinitely, is there? > > Beyond this one case I'm wondering if there are any survey data or anecdotes > about how common a practice this is (was?).
It is allowed by the BRs if (as per section 12): a. The Root CA uses a 1024-bit RSA signing key that was created prior to the Effective Date; b. The Applicant’s application was deployed prior to the Effective Date; c. The Applicant’s application is in active use by the Applicant or the CA uses a documented process to establish that the Certificate’s use is required by a substantial number of Relying Parties; d. The CA follows a documented process to determine that the Applicant’s application poses no known security risks to Relying Parties; and e. The CA documents that the Applicant’s application cannot be patched or replaced without substantial economic outlay. and the Root CA Certificate has a validity period beginning on or before 31 Dec 2010 (Appendix A) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
