On 12/19/14 4:40 AM, Erwann Abalea wrote:
Current Mozilla CA Policy (version 2.2) adopts CABR BR 1.1.5.
What is Mozilla's position about duplicate serial numbers? BR 1.2.2 added an
exemption for CT, to allow pre-certs to be issued under the same CA and having
the same serial number as the final certificate.
Example certificate for validg2.entrust.net has been renewed on Dec 17, and the
new one is CT-enabled. It's precert has been issued under the same CA as the
final cert, so technically 2 certificates with the same serial number have been
issued under the same CA.
I plan to update Mozilla's CA Policy to take this into account.
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
==
The following items will be discussed in regards to version 2.3 of
Mozilla's CA Certificate Policy.
- Consider adding "except as permitted under CT" to item #4 of the
Inclusion Policy, where it says "duplicate issuer names and serial
numbers". Then it becomes: "…duplicate issuer names and serial numbers,
except as permitted under CT;”
-- Bugzilla bug 1016587
==
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
