On 28/03/17 13:32, Jakob Bohm via dev-security-policy wrote: <snip>
On 28/03/17 11:02, Gervase Markham via dev-security-policy wrote:
<snip>
Your case is missing the part where you explain why you think this is bad :-) What risks are associated with undisclosed dormant sub-CA certs?
<snip>
Actually, I think it is about ensuring that there are no non-compliant issuers of Mozilla-trusted certificates, that might be issuing improperly validated certificates.
We're talking about the policy's requirement for disclosing "dormant" sub-CAs, not sub-CAs "that might be issuing".
By the time a sub-CA issues its first cert, that sub-CA MUST have already been disclosed. The policy is already clear on this point.
-- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
