On 12/07/17 21:18, Ben Wilson wrote:
> For CAs with emailProtection and proper name constraints, where would such 
> CAs appear in  <https://crt.sh/mozilla-disclosures> 
> https://crt.sh/mozilla-disclosures?   
> <https://crt.sh/mozilla-disclosures#constrainedother> 
> https://crt.sh/mozilla-disclosures#constrainedother ? Or a new section of the 
> list, yet to be determined?

I believe Rob has now split the list into two.

> And for CAs where EKU contains emailProtection, what are the programmatic 
> criteria that determine whether the CA will be in such list as properly name 
> constrained, since the Baseline Requirements don’t cover email certificates?  
> (Presumably, a properly name-constrained email CA would not require any 
> audit.)

Rob would be able to say. But the criteria for whether an email
intermediate is properly name constrained are in Mozilla policy 2.5.

dev-security-policy mailing list

Reply via email to