On Wed, Nov 11, 2015 at 12:21 AM, Adriano Santoni <[email protected]> wrote: > The issue I raised is not whether ccTLD are allowed in the BRs (they > apparently are, to date) or what kind of entity could be allowed a ccTLD in > their SubCA certificate's permittedSubtrees. > > My point is whether a SubCA having a ccTLD in its permittedSubtrees can > reasonably be regarded as "technically constrained" and therefore be allowed > not to be disclosed and not to be formally audited.....
Under the Mozilla policy today, this is not true. Mozilla inclusion policy item #12 requires that all CAs follow the CA/Browser Forum Baseline Requirements (BRs). The BRs require that the CA signing the technically constrained cross certificate to audit the constrained CA. The "parent" CA is then required to be audited and presumably their controls and operations of subordinate audit will be reviewed by the their WebTrust or ETSI auditor. I agree this is a weaker requirement, but there is oversight. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
