On Tue, Feb 7, 2017 at 9:25 AM, Gervase Markham <[email protected]> wrote: > > <quote> > 2) The issuing intermediate: >
It may be worth clarifying this as "the issuing certificate" The subtlety/nuance here being is that if the end entity deemed out of scope of the Baseline Requirements, then you are allowing for the elimination of the rule that prevents direct issuance of the Root. By clarifying it as 'issuing certificate', you 'hopefully' avoid a misinterpretation that suggests direct issuance by a root is acceptable, so long as it meets the leaf criteria. The downside to this is that it does leave another loophole (both present and in the modified version) in which if a given issuing CA has multiple associated certificates, they could be argued as complying with the letter but not the spirit. Perhaps "All certificates sharing the same key and whose issuer matches the certificate subject" but that's... a mouthful :) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
