It has been suggested we need a formal definition of what we consider mis-issuance. The closest we have is currently a couple of sentence in section 7.3:
"A certificate that includes domain names that have not been verified according to section 3.2.2.4 of the Baseline Requirements is considered to be mis-issued. A certificate that is intended to be used only as an end entity certificate but includes a keyUsage extension with values keyCertSign and/or cRLSign or a basicConstraints extension with the cA field set to true is considered to be mis-issued." This is clearly not an exhaustive list; one would also want to include BR violations, RFC violations, and insufficient EV vetting, at least. The downside of defining it is that CAs might try and rules-lawyer us in a particular situation. Here's some proposed text which provides more clarity while hopefully avoiding rules-lawyering: "The category of mis-issued certificates includes (but is not limited to) those issued to someone who should not have received them, those containing information which was not properly validated, those having incorrect technical constraints, and those using algorithms other than those permitted." If you have suggestions on how to improve this definition, let's keep brevity in mind :-) This is: https://github.com/mozilla/pkipolicy/issues/76 ------- This is a proposed update to Mozilla's root store policy for version 2.5. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.4.1 (current version): https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
