1. It is well established that logging pre-certs constitutes "issuance" for purposes of policy compliance. If you wouldn't issue it, don't log it. Not difficult. And this isn't new.
2. When a new path comes into existence in the Web PKI you don't need to explicitly "use" it as a CA, the Relying Parties may rely on this path for a variety of reasons out of your control. If you don't want a particular path to be used don't create it. (An example not related to the present circumstances: Let's Encrypt has a path from their Issuing CAs to the ISRG root. Today this root is not widely trusted and so they provide subscribers with an alternative intermediate CA cert leading to Identrust. But some clients, including Firefox, will use the ISRG path anyway because they trust it.) 3. The non-disclosure of the CA:TRUE certs is unambiguously a policy violation. Adding them to OneCRL immediately seems like exactly the right response. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
