On 04/03/16 23:14, Matt Palmer wrote:
On Fri, Mar 04, 2016 at 09:19:36PM +0000, Rob Stradling wrote:
Maybe we need to take a different approach that ignores the end-entity
certificate profile completely. How about we propose that...
- An X.509 certificate is in scope for the BRs if it's signed by an
Issuing CA that is in scope.
- An Issuing CA is in scope if:
i) it chains to a Root Certificate that is trusted for server
authentication
You'll want to describe *who* trusts the root.
Hi Matt. I thought somebody might point that out. Sorry for my
handwaviness. ;-)
"*who* trusts" is indeed important, but it wasn't the aspect of the
scope problem I was trying to solve with my previous post.
I trust lots of private PKI
roots for server authentication in my own gear, but they're never going
mainstream.
Perhaps "it chains to a Root Certificate that is trusted, or is intended to
be trusted, by one or more Browser members of the CA/Browser Forum for
server authentication"? The "intended to be trusted" is to make sure that
candidates for browser trust programs know they're on the hook, too.
- Matt
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy