On Thu, Apr 13, 2017 at 9:33 AM, douglas.beattie--- via dev-security-policy <firstname.lastname@example.org> wrote: > On Thursday, April 13, 2017 at 10:49:17 AM UTC-4, Gervase Markham wrote: >> On 13/04/17 14:23, Doug Beattie wrote: >> > There is no statement back to scope or corresponding audits. Were >> > secure email capable CAs supposed to be disclosed and audited to >> > Mozilla under 2.3? >> >> If they did not include id-kp-serverAuth, I would not have faulted a CA >> for not disclosing them if they met the exclusion criteria for email >> certs as written. > > OK. > >> > and how it applies to Secure email, I don't see how TCSCs with secure >> > email EKU fall within the scope of the Mozilla Policy 2.3. Can you >> > help clarify? >> >> I think this is basically issue #69. >> https://github.com/mozilla/pkipolicy/issues/69 > > OK, I look forward to a conclusion on that. I hope that name constraining a > secure email CA (either technically in the CA certificate or via business > controls) is sufficient to avoid WebTrust Audits. If Public disclosure helps > get us there then that would be acceptable.
Should the Mozilla policy change to require disclosure of all CA certificates issued by an unconstrained CA (but not necessarily require audits, CP/CPS, etc)? This would help identify unintentional gaps in policy. Thanks, Peter _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy