The problem with the wording of the paragraphs in section 5.3.1 is that they should have said "..., in order to be considered Technically Constrained, ..." . Right now they read like absolutes.
-----Original Message----- From: dev-security-policy [mailto:[email protected]] On Behalf Of Ben Wilson via dev-security-policy Sent: Monday, January 8, 2018 3:42 PM To: [email protected] Subject: 5.3.1 Technically Constrained Which "above paragraph" is being referenced in the following excerpt from Section 5.3.1 of the Mozilla Root Store Policy v.2.5 (https://www.mozilla.org/en-US/about/governance/policies/security-group/cert s/policy/)? "Instead of complying with the above paragraph, intermediate certificates issued before 22nd June 2017 may, until 15th January 2018, comply with the following paragraph: If the certificate includes the id-kp-emailProtection extended key usage, then all end-entity certificates MUST only include e-mail addresses or mailboxes that the issuing CA has confirmed (via technical and/or business controls) that the subordinate CA is authorized to use." I interpret that "the above paragraph" means the following paragraph: "5.3 Intermediate Certificates All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla's CA Certificate Program, MUST be operated in accordance with this policy and MUST either be technically constrained or be publicly disclosed and audited." Thanks, Ben Wilson Ben Wilson, JD, CISA, CISSP VP Compliance +1 801 701 9678 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
