Ok, probably many CAs would be happy with something like this:
1. If a Root cert transfer creates a new "CA", follow: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/; 2. If a Root cert transfer doesn't create a new CA but results in creation of an Issuing CA (s), p. 8, 9 and 10 of the Root inclusion policy apply.
Would it be sufficient? Thanks, M.D. On 4/24/2015 7:19 PM, Ryan Sleevi wrote:
On Fri, April 24, 2015 8:39 am, Moudrick M. Dadashov wrote:So I thought everybody "standing under the umbrella" is treated the same way.My point is that they aren't, and they never have.Cross-signing scenarios may or may not result in creation of a new CA, probably this is the most noticeable difference.Sure. I'm using cross-signing interchangably with "signing an unconstrained intermediate", since they are procedurally identical from the point of view of the issuing CA (that is, you're signing a certificate with CA:TRUE), but not all certificates with "CA:TRUE" are treated equally by Mozilla, which is the point I made.Whatever they do, a Mozilla applicant must be a CA by definition, right? Therefore the clarification of HOWs below is definitely useful in the process of transferring-gaining the "new CA" status but shouldn't be considered as an alternative Root inclusion option.Yes, all Mozilla applicants must be CAs. My point is that not all CAs must be Mozilla applicants. Having an existing CA sign your "CA:TRUE" certificate is a way to avoid becoming a Mozilla applicant, and that has always been true, and, honestly, I think that's actually OK. Ergo, acquiring a "CA:TRUE" certificate, provided that the controls required for all "CA:TRUE" certificates are met, shouldn't intrinsically mean you must now become a Mozilla applicant.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
