On 18/11/16 00:28, Andrew Ayer wrote: > I see the appeal of this. However, I'm concerned that allowing > leniency with name-constrained TCSCs will make it hard for Mozilla to > make security improvements to its certificate validation in the > future. Improvements like rejecting SHA-1, 1024-bit RSA keys, and > certificates valid for more than 39 months were only possible because > CAs were first made to stop issuing these types of certificates. If > policies are not enforced on the issuance of certificates from TCSCs, > how will Mozilla make these types of changes in the future without > causing massive breakage?
Mozilla's policy certainly needs some sections to apply to every cert issued under the roots in the store, and some sections which apply only to server certs (BR-compliant; recognised by Firefox) or email certs. I hope, before too long, to rearrange it in this way. It could then also have requirements which only apply to non-TCSC-issued certs. The question is, which rules which should in which category. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
