On 08/02/17 02:32, Ryan Sleevi wrote: > By clarifying it as 'issuing certificate', you 'hopefully' avoid a > misinterpretation that suggests direct issuance by a root is acceptable, so > long as it meets the leaf criteria.
CAs wanted to be able to manually issue OCSP signing certificates directly from a root; are you opposing that? > Perhaps "All certificates sharing the same key and whose issuer matches the > certificate subject" but that's... a mouthful :) Hmm. This seems like a problem whose scope is wider than here. Does the policy need a definition somewhere, which says something like "If a rule applies to a certificate, it also applies to all other certs sharing the same issuer and key"? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
