[ Corresponding issue on GitHub: https://github.com/mozilla/pkipolicy/issues/67 ]
Mozilla's CA Certificate Policy says: > All certificates that are capable of being used to issue new > certificates, that are not technically constrained, and that directly > or transitively chain to a certificate included in Mozilla's CA > Certificate Program MUST be audited in accordance with Mozilla's CA > Certificate Policy and MUST be publicly disclosed in the CCADB by the > CA that has their certificate included in Mozilla's CA Certificate > Program. One cannot disclose a sub-CA certificate without first signing it, so there will always be some delay between the creation of a sub-CA and its disclosure in the CCADB. How long can a CA delay the disclosure? All the policy currently says is this: > The CA with a certificate included in Mozilla's CA Certificate > Program MUST disclose this information before any such subordinate CA > is allowed to issue certificates. My interpretation of the policy is that a CA could delay disclosure for quite some time if the sub-CA is not used to issue certificates right away. If the sub-CA is created as a backup that is never used, the disclosure would never need to happen. I think this is bad. An upper limit on the delay should be precisely specified by the policy. My opinion is that it should be on the order of days, although the policy might need to afford some leeway to CAs that are new to the Mozilla program and do not have access yet to CCADB. Regards, Andrew _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
