On Fri, April 24, 2015 8:39 am, Moudrick M. Dadashov wrote: > So I thought everybody "standing under the umbrella" is treated the same > way.
My point is that they aren't, and they never have. > Cross-signing scenarios may or may not result in creation of a new CA, > probably this is the most noticeable difference. Sure. I'm using cross-signing interchangably with "signing an unconstrained intermediate", since they are procedurally identical from the point of view of the issuing CA (that is, you're signing a certificate with CA:TRUE), but not all certificates with "CA:TRUE" are treated equally by Mozilla, which is the point I made. > Whatever they do, a Mozilla applicant must be a CA by definition, right? > Therefore the clarification of HOWs below is definitely useful in the > process of transferring-gaining the "new CA" status but shouldn't be > considered as an alternative Root inclusion option. Yes, all Mozilla applicants must be CAs. My point is that not all CAs must be Mozilla applicants. Having an existing CA sign your "CA:TRUE" certificate is a way to avoid becoming a Mozilla applicant, and that has always been true, and, honestly, I think that's actually OK. Ergo, acquiring a "CA:TRUE" certificate, provided that the controls required for all "CA:TRUE" certificates are met, shouldn't intrinsically mean you must now become a Mozilla applicant. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
