That is a distinction without a difference. If I create a subCA, it’s because I want to put it into production soon afterwards. This proposal is going to add hours per week that DigiCert is going to have to do, on top of reporting CAs to the CCADB, and everything else that CAs have to do. What is the security-critical driver behind this? Where is the risk-cost-benefit analysis?
From: Wayne Thayer [mailto:wtha...@mozilla.com] Sent: Thursday, April 5, 2018 1:56 PM To: Ben Wilson <ben.wil...@digicert.com> Cc: Dimitris Zacharopoulos <ji...@it.auth.gr>; r...@sleevi.com; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Policy 2.6 Proposal: Audit requirements for new subCA certificates On Thu, Apr 5, 2018 at 12:05 PM, Ben Wilson <ben.wil...@digicert.com <mailto:ben.wil...@digicert.com> > wrote: If I create a new sub CA on a weekly basis, will that mean that I have to republish my CPS every week? That makes absolutely no sense. As proposed, the requirement isn't based on when the subCA certificate is created - it requires the subCA to be added to the CP/CPS before being used to issue certificates. Refer to the following thread for background on this proposal: https://groups.google.com/d/msg/mozilla.dev.security.policy/CAaC2a2HMiQ/IKimeW4NBgAJ
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy