On Tuesday, 19 September 2017 15:46:09 UTC+1, Franck Leroy wrote: > 1/ When we use our root, we produce a key ceremony report. > 2/ The signature value doesn’t appears in the report so it is not possible to > reproduce the certificate. > 3/ My safe is in a closet which I don’t have the key, so I have to ask my > manager to open it, then I can open my safe this my key.
Thanks Franck, I have no doubt that this was obvious to people who have worked for a public CA, but it wasn't obvious to me, so thank you for answering. I think these answers give us good reason to be confident that a cross-signed certificate in this situation would not be available to either end subscribers or StartCom unless/ until the CA which cross-signed it wanted that to happen. It might still make sense for Mozilla to clarify that this isn't a good idea, or even outright forbid it anyway, but I agree with your perspective that this seemed permissible under the rules as you understood them and wasn't obviously unreasonable. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
