On Fri, Mar 04, 2016 at 09:19:36PM +0000, Rob Stradling wrote: > Maybe we need to take a different approach that ignores the end-entity > certificate profile completely. How about we propose that... > > - An X.509 certificate is in scope for the BRs if it's signed by an > Issuing CA that is in scope. > > - An Issuing CA is in scope if: > i) it chains to a Root Certificate that is trusted for server > authentication
You'll want to describe *who* trusts the root. I trust lots of private PKI roots for server authentication in my own gear, but they're never going mainstream. Perhaps "it chains to a Root Certificate that is trusted, or is intended to be trusted, by one or more Browser members of the CA/Browser Forum for server authentication"? The "intended to be trusted" is to make sure that candidates for browser trust programs know they're on the hook, too. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
