On Monday, March 14, 2016 at 10:11:20 PM UTC-7, Eric Mill wrote: > > However, just for extra emphasis, it might be useful to work the phrase > "cross-signature" or similar into the paragraph, to make sure that CAs are > reminded to consider these when evaluating your action request. > > One way of doing this might be adding to the end of the first paragraph: > "This can include cross-signatures that create a chain to issuing > certificates owned by third parties, whether or not those issuing > certificates are already part of the Mozilla CA Certificate Program." >
I added a sentence to the end of the first paragraph, as suggested: ~~ ACTION #2: Version 2.1 of Mozilla's CA Certificate Policy added the requirement that CAs must provide public-facing documentation about certificate verification requirements and annual public attestation of conformance to the stated certificate verification requirements for all certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla's CA Certificate Program that are not technically constrained as described in section 9 of Mozilla's CA Certificate Inclusion Policy. This includes cross-signed certificates that create a chain to issuing certificates owned by third parties, whether or not those issuing certificates are already part of Mozilla's CA Certificate Program. Respond with the date by which you plan to complete entry into Mozilla's CA Community in Salesforce of the PEM data, CP/CPS, and audit statements for all certificates that are capable of being used to issue new certificates, and which directly or transitively chain to your certificate(s) included in Mozilla's CA Certificate Program that are not technically constrained as described in section 9 of Mozilla's CA Certificate Inclusion Policy. This includes every intermediate certificate (chaining up to your root certificates in Mozilla's program with the Websites trust bit enabled) that is not Technically Constrained via Extended Key Usage and Name Constraint settings. The date that you enter must be on or before [DATE TBD]. (Required) ~~ Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
