On 15/04/17 17:05, Peter Bowen via dev-security-policy wrote:
On Thu, Apr 13, 2017 at 9:33 AM, douglas.beattie--- via
dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
On Thursday, April 13, 2017 at 10:49:17 AM UTC-4, Gervase Markham wrote:
On 13/04/17 14:23, Doug Beattie wrote:
There is no statement back to scope or corresponding audits.  Were
secure email capable CAs supposed to be disclosed and audited to
Mozilla under 2.3?

If they did not include id-kp-serverAuth, I would not have faulted a CA
for not disclosing them if they met the exclusion criteria for email
certs as written.


and how it applies to Secure email, I don't see how TCSCs with secure
email EKU fall within the scope of the Mozilla Policy 2.3.  Can you
help clarify?

I think this is basically issue #69.

OK, I look forward to a conclusion on that.  I hope that name constraining a 
secure email CA (either technically in the CA certificate or via business 
controls) is sufficient to avoid WebTrust Audits.  If Public disclosure helps 
get us there then that would be acceptable.

Should the Mozilla policy change to require disclosure of all CA
certificates issued by an unconstrained CA (but not necessarily
require audits, CP/CPS, etc)? This would help identify unintentional
gaps in policy.


Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
dev-security-policy mailing list

Reply via email to