As an alternative to requiring newly-issued subCA Certificates to be listed
in the relevant CP/CPS prior to issuing certificates, would it be
reasonable for Mozilla to require the Certificate Policies extension in
these certificates to contain a URL pointing to the relevant policy
document(s)? I believe that most subCA certificates already contain this

In theory, we could also permit three options - add the new subCA
certificate to the relevant CP/CPS, include a Certificate Policies pointer,
or publish an attestation, but I'd prefer a single, consistent mechanism
that allows a relying party to determine which policies apply.

- Wayne

On Thu, Apr 5, 2018 at 1:12 PM, Ben Wilson <> wrote:

> That is a distinction without a difference.  If I create a subCA, it’s
> because I want to put it into production soon afterwards. This proposal is
> going to add hours per week that DigiCert is going to have to do, on top of
> reporting CAs to the CCADB, and everything else that CAs have to do.  What
> is the security-critical driver behind this?  Where is the
> risk-cost-benefit analysis?
> *From:* Wayne Thayer []
> *Sent:* Thursday, April 5, 2018 1:56 PM
> *To:* Ben Wilson <>
> *Cc:* Dimitris Zacharopoulos <>;;
> mozilla-dev-security-policy <
> >
> *Subject:* Re: Policy 2.6 Proposal: Audit requirements for new subCA
> certificates
> On Thu, Apr 5, 2018 at 12:05 PM, Ben Wilson <>
> wrote:
> If I create a new sub CA on a weekly basis, will that mean that I have to
> republish my CPS every week?  That makes absolutely no sense.
> As proposed, the requirement isn't based on when the subCA certificate is
> created - it requires the subCA to be added to the CP/CPS before being used
> to issue certificates. Refer to the following thread for background on this
> proposal:
> policy/CAaC2a2HMiQ/IKimeW4NBgAJ
dev-security-policy mailing list

Reply via email to