Hey Matthew, I believe We are in the process of collecting this information from CAs.
But there's probably a good meta point here, that we should have effective dates for Mozilla policies, just like the BRs. --Richard Sent from my iPhone. Please excuse brevity. > On May 2, 2015, at 13:36, Matthew Pun <[email protected]> wrote: > > The Mozilla CA Certificate Policy requires that all subordinate CAs which > chains to Mozilla-accepted root CAs be technically constrained or publicly > disclosed and audited. Regarding public disclosure, it further specifies that: > > "The Certificate Policy or Certification Practice Statement of the CA that > has their certificate included in Mozilla's CA Certificate Program must > specify where on that CA's website all such public disclosures are located." > > I checked several large CAs, which all have unconstrained subCAs, and could > not find such a statement in their CPS or CP. > > CyberTrust (https://cybertrust.omniroot.com/repository) does not appear to > have disclosed its subCAs anywhere. > GeoTrust (https://www.geotrust.com/resources/repository/legal) has disclosed > its subCAs in a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1019860). > Comodo (https://www.comodo.com/about/comodo-agreements.php) and Entrust > (http://www.entrust.net/CPS) have disclosed the list on their > web sites but does not refer to the disclosure in their CPS/CP. > > Are these not violations of Mozilla policy? Or am I missing something? > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
