The Mozilla CA Certificate Policy requires that all subordinate CAs which chains to Mozilla-accepted root CAs be technically constrained or publicly disclosed and audited. Regarding public disclosure, it further specifies that:
"The Certificate Policy or Certification Practice Statement of the CA that has their certificate included in Mozilla's CA Certificate Program must specify where on that CA's website all such public disclosures are located." I checked several large CAs, which all have unconstrained subCAs, and could not find such a statement in their CPS or CP. CyberTrust (https://cybertrust.omniroot.com/repository) does not appear to have disclosed its subCAs anywhere. GeoTrust (https://www.geotrust.com/resources/repository/legal) has disclosed its subCAs in a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1019860). Comodo (https://www.comodo.com/about/comodo-agreements.php) and Entrust (http://www.entrust.net/CPS) have disclosed the list on their web sites but does not refer to the disclosure in their CPS/CP. Are these not violations of Mozilla policy? Or am I missing something? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
