We want to change the policy to make it clear that whether a cert is covered by our policy or not is dependent on whether it is technically capable of issuing server certs, not whether it is intended by the CA for issuing server certs.
Until we change Firefox to require id-kp-serverAuth, the policy will define "capable" as "id-kp-serverAuth or no EKU". This involves a number of wording tweaks; the full set of changes are here: https://github.com/mozilla/pkipolicy/compare/issue-27 This is: https://github.com/mozilla/pkipolicy/issues/27 ------- This is a proposed update to Mozilla's root store policy for version 2.4. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.3 (current version): https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
