What about the Mozilla CA communication that said that CAs had until 15 April 2018?
-----Original Message----- From: dev-security-policy [mailto:[email protected]] On Behalf Of Rob Stradling via dev-security-policy Sent: Tuesday, January 16, 2018 2:29 PM To: [email protected] Subject: CCADB disclosure of id-kp-emailProtection intermediates [Kathleen, Gerv, Wayne: Please correct me if this post misrepresents Mozilla's policy and/or current expectations. Thanks!] Mozilla Root Store Policy v2.5 section 5.3.1 [1] permitted the non-disclosure (and, IINM, non-audit) of certain non-technically-constrained id-kp-emailProtection intermediate certificates...until yesterday: "Instead of complying with the above paragraph, intermediate certificates issued before 22nd June 2017 may, until 15th January 2018..." According to [2], there are currently 223 non-technically-constrained intermediate certificates known to crt.sh that chain to an NSS built-in root (that has the Email trust bit set) and are capable of issuing id-kp-emailProtection certificates but not id-kp-serverAuthentication certificates. IIUC, the Mozilla policy now requires these intermediate certificates to have already been disclosed to the CCADB and to be audited.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
