On 04/12/16 08:17, Wen-Cheng Wang wrote: > You are wight, there are several subordinate CAs under our Government > Root CA. Our Government Root CA and all its subordinate have WebTrust > for CA audits. However, among those subordinate CAs, only GCA will > issue SSL certificates. Therefore, only Government Root CA and GCA > have SSL BR audits. Since currently all other subordinate CAs so not > issue SSL certificates, it is certainly not possible for them to have > SSL BR audits.
Not possible technically, or not possible by policy? As I understand it, Peter is pointing out that these subordinate CAs are not constrained, and so could issue SSL certificates which would be trusted in any browser which trusted the root. Therefore, their policies and practices have to fall under Mozilla's root policy. We plan to make an update to the policy to make it very clear that the important criterion is technical capability, not intent. See: https://github.com/mozilla/pkipolicy/issues/27 Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
