As an alternative to requiring newly-issued subCA Certificates to be listed in the relevant CP/CPS prior to issuing certificates, would it be reasonable for Mozilla to require the Certificate Policies extension in these certificates to contain a URL pointing to the relevant policy document(s)? I believe that most subCA certificates already contain this information.
In theory, we could also permit three options - add the new subCA certificate to the relevant CP/CPS, include a Certificate Policies pointer, or publish an attestation, but I'd prefer a single, consistent mechanism that allows a relying party to determine which policies apply. - Wayne On Thu, Apr 5, 2018 at 1:12 PM, Ben Wilson <[email protected]> wrote: > That is a distinction without a difference. If I create a subCA, it’s > because I want to put it into production soon afterwards. This proposal is > going to add hours per week that DigiCert is going to have to do, on top of > reporting CAs to the CCADB, and everything else that CAs have to do. What > is the security-critical driver behind this? Where is the > risk-cost-benefit analysis? > > > > *From:* Wayne Thayer [mailto:[email protected]] > *Sent:* Thursday, April 5, 2018 1:56 PM > *To:* Ben Wilson <[email protected]> > *Cc:* Dimitris Zacharopoulos <[email protected]>; [email protected]; > mozilla-dev-security-policy <[email protected] > > > *Subject:* Re: Policy 2.6 Proposal: Audit requirements for new subCA > certificates > > > > On Thu, Apr 5, 2018 at 12:05 PM, Ben Wilson <[email protected]> > wrote: > > If I create a new sub CA on a weekly basis, will that mean that I have to > republish my CPS every week? That makes absolutely no sense. > > As proposed, the requirement isn't based on when the subCA certificate is > created - it requires the subCA to be added to the CP/CPS before being used > to issue certificates. Refer to the following thread for background on this > proposal: https://groups.google.com/d/msg/mozilla.dev.security. > policy/CAaC2a2HMiQ/IKimeW4NBgAJ > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
