On Fri, Jun 02, 2017 at 04:50:44PM +0100, Gervase Markham wrote: > On 02/06/17 12:24, Kurt Roeckx wrote: > > Should that be "all certificates" instead of "all SSL certificates"? > > No; the Baseline Requirements apply only to SSL certificates.
Then I don't understand what you're trying to do. If the BR already apply to all SSL certificates, why would Mozilla need to override this and say it applies to all SSL certificates? The BR are at least confusing to what they claim to be about. The title of the document says "for the issuance and management of pubicly-trusted certificates". In the "notice to readers" they say it's about server authentication, and seem to imply it doesn't cover "web services", code signing, smime, ... Maybe you want to say it also applies to client authentication? I also think it's wrong to say it just applies to SSL certificates, it also applies to at least the intermediate CAs. I also see very little reason why the BRs couldn't be applied to all certificates if the put some effort in making the BRs actual baseline requirements. About the only thing in the BRs that don't apply to all certificates are the SAN requirements and things related to having control over the domain name. It shouldn't be that hard to move those things to a separate document instead. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy