On 10/15/2015 5:27 AM, Kai Engert wrote [in part]: > > (a) Only grant the S/MIME trust bit if a CA has been granted the SSL/TLS > trust bit already. > > If Mozilla decides to remove a SSL/TLS trust bit, the S/MIME trust bit (and > potentiall all other trust bits) for that CA will get removed, too. > > This eliminates the need to work on any CAs that are for the S/MIME purpose, > only. > > > (b) Only CAs that explicitly state they'd like to be granted the S/MIME > trust bit might potentially get it. > > This avoids the likelyhood that any CA's root gets accidentally used for the > non > -SSL/TLS purpose.
This might be okay if applied to certification authorities but not to individual root certificates. We should not block the S/MIME trust bit when a certification authority chooses to have separate root certificates for TLS and S/MIME. -- David E. Ross The Crimea is Putin's Sudetenland. The Ukraine will be Putin's Czechoslovakia. See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
