On Tue, Oct 25, 2016 at 12:12:47PM -0700, Ryan Sleevi wrote: > 8. All certificates that are capable of being used to issue new certificates, > and which directly or transitively chain to a certificate included in > Mozilla’s CA Certificate Program, MUST be operated in accordance with > Mozilla’s CA Certificate Policy and MUST either be technically constrained or > be publicly disclosed and audited. > > This wording implies that technically constrained sub-CAs, from a Mozilla > Policy standpoint, are not required to adhere to the Baseline Requirements.
So I think what you're trying to say is that you interprete it as: "MUST either be (technically constrained) or (be publicly disclosed and audited)" While maybe it was meant to say: "MUST either be (technically constrained or be publicly disclosed) and audited" Where audited can either be done by an external auditor, or by the CA that issued the TCSC. But you could also interprete is like we only require an audit report from those that are not technically constrained. To avoid confusing, you could make it a list like: - technically constrained or be publicly disclosed - audited It's also not clear from that sentence that they need to adhere to the BRs, but I guess that comes from the audit requirements. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
