On 9/1/2016 3:52 AM, Nick Lamb wrote:
> It may make sense to explicitly tell Hongkong Post that it must not do
> anything which would have the effect of subverting/ undoing this change. For
> example, if Hongkong Post wants to create a new certificate for the
> intermediate "Hongkong Post e-Cert CA 1 - 10" (perhaps now with constraints
> forbidding SSL Server certs) it should ensure Mozilla understands and agrees
> the contents of that new certificate as appropriate first.
We actually planned to create a new Sub CA ("Hongkong Post e-Cert CA 2 -
16") for transitioning end-entity certs (except the SSL server certs)
under "Hongkong Post e-Cert CA 1 - 10" to it. All SSL server certs under
"Hongkong Post e-Cert CA 1 - 10" would be naturally expired, or revoked
by 31 Dec 2016. The key cutting and certificate generation is scheduled
in next week. It's great for Mozilla understanding the new Sub CA and I
highly appreciate your input so that we're explicitly told about the
requirement of intermediate certificate - that does not issue SSL server
cert.
But the creation of the new Sub CA seems to be off-topic. I will open
another thread when we're ready.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
