On Thursday, March 10, 2016 at 4:14:45 PM UTC-8, Jakob Bohm wrote: > General: Throughout this document you use phrases such as "all > certificates that directly or transitively chain to your root > certificate(s) included in Mozilla's CA Certificate Program", > shouldn't those phrases exclude technically constrained subCAs, > such as subCAs used exclusively for codesigning (which has a near > indefinite need for SHA-1 certs due to Microsoft actions). >
I think this only applies to the SHA1 action item... ACTION 1 -- SHA1 I think we want this action item to apply to all S/MIME and TLS/SSL certificates chaining up to included roots, regardless of whether the intermediate is constrained or not. Correct? ACTION 2 -- enter intermediate certs into CA Community in Salesforce Says ... that are not technically constrained as described in section 9 of Mozilla's CA Certificate Inclusion Policy. ACTION 3 -- OneCRL Says ...and were not technically constrained as described in section 9 of Mozilla's CA Certificate Inclusion Policy. ACTION 4 -- removing workarounds from mozilla::pkix It won't matter if the intermediates are technically constrained, the code will still reject certs that are issued after the date with those problems. ACTION 5 -- removing retired roots Constraints not applicable ACTION 6 -- test certs I guess it depends if we say anything further about test certificates other than all certs must comply with Mozilla's CA Cert Policy. Should we say anything else here? Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
