On 2/6/16 11:45 AM, Peter Bowen wrote:
The Mozilla CA Certificate policy says, in part:
"8. All certificates that are capable of being used to issue new
certificates, and which directly or transitively chain to a
certificate included in Mozilla’s CA Certificate Program, MUST be
operated in accordance with Mozilla’s CA Certificate Policy and MUST
either be technically constrained or be publicly disclosed and
audited.
* A certificate is deemed as capable of being used to issue new
certificates if it contains an X.509v3 basicConstraints extension,
with the cA boolean set to true.
* These requirements include all cross-certified certificates which
chain to a certificate that is included in Mozilla’s CA Certificate
Program."
I would propose that transitive disclosure not be required when the
subject of the CA-certificate is also the subject of a certificate
included directly in the Mozilla trust store.
I think we want such relationships to be clearly disclosed. In the
future, in the case that there is an incident that requires blocking a
particular CA-certificate, we would be able to use Salesforce to find
all the relationships with other CA-Certificates in the program.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
