On Tue, Sep 19, 2017 at 3:09 PM, Nick Lamb via dev-security-policy <[email protected]> wrote: > I have no doubt that this was obvious to people who have worked for a public > CA, but it wasn't obvious to me, so thank you for answering. I think these > answers give us good reason to be confident that a cross-signed certificate > in this situation would not be available to either end subscribers or > StartCom unless/ until the CA which cross-signed it wanted that to happen. > > It might still make sense for Mozilla to clarify that this isn't a good idea, > or even outright forbid it anyway, but I agree with your perspective that > this seemed permissible under the rules as you understood them and wasn't > obviously unreasonable.
I'm pretty sure it's already forbidden, since policy version 2.5 anyway (has effective date after the Certinomis shenanigans though): "The CA with a certificate included in Mozilla’s root program MUST disclose this information within a week of certificate creation, and before any such subordinate CA is allowed to issue certificates." 2.5 added the "within a week of certificate creation" [1] . "Creation" vs "My Safe", "Creation" wins. :-) [1] https://github.com/mozilla/pkipolicy/commit/b7d1b6c04458114fbe73fa3f146ad401235c2a1b _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
