On Wed, Apr 11, 2018 at 3:49 PM, Wayne Thayer <wtha...@mozilla.com> wrote:
> As an alternative to requiring newly-issued subCA Certificates to be > listed in the relevant CP/CPS prior to issuing certificates, would it be > reasonable for Mozilla to require the Certificate Policies extension in > these certificates to contain a URL pointing to the relevant policy > document(s)? I believe that most subCA certificates already contain this > information. > > Section 7.1.2.2 of the BRs states that the certificatePolicies:policyQualifiers:qualifier:cPSuri for a subCA certificate should contain a pointer to the **root** CA's policies. If this is correct, then my proposal doesn't solve the problem of requiring disclosure of the policies that a new subordinate CA certificate is operating under. In theory, we could also permit three options - add the new subCA > certificate to the relevant CP/CPS, include a Certificate Policies pointer, > or publish an attestation, but I'd prefer a single, consistent mechanism > that allows a relying party to determine which policies apply. > > Based on the feedback so far, none of these options is desirable. I propose that we only make the change to section 5.3.2 of the Mozilla policy that clarifies the audit requirements for new subCA certificates, as follows: If the subordinate CA has a currently valid audit report at the time of > creation of the certificate, it MUST appear on the subordinate CA's next > periodic audit reports. > - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy