To close out discussion on this issue, I've updated the change by removing the requirement to list each subCA certificate in the CPS: https://github.com/mozilla/pkipolicy/commit/1bdcd53baf2e8b9006a5e13923ce3d66eeff927e
- Wayne On Mon, Apr 16, 2018 at 4:51 PM, Wayne Thayer <wtha...@mozilla.com> wrote: > On Wed, Apr 11, 2018 at 3:49 PM, Wayne Thayer <wtha...@mozilla.com> wrote: > >> As an alternative to requiring newly-issued subCA Certificates to be >> listed in the relevant CP/CPS prior to issuing certificates, would it be >> reasonable for Mozilla to require the Certificate Policies extension in >> these certificates to contain a URL pointing to the relevant policy >> document(s)? I believe that most subCA certificates already contain this >> information. >> >> Section 7.1.2.2 of the BRs states that the certificatePolicies: > policyQualifiers:qualifier:cPSuri for a subCA certificate should contain > a pointer to the **root** CA's policies. If this is correct, then my > proposal doesn't solve the problem of requiring disclosure of the policies > that a new subordinate CA certificate is operating under. > > In theory, we could also permit three options - add the new subCA >> certificate to the relevant CP/CPS, include a Certificate Policies pointer, >> or publish an attestation, but I'd prefer a single, consistent mechanism >> that allows a relying party to determine which policies apply. >> >> Based on the feedback so far, none of these options is desirable. I > propose that we only make the change to section 5.3.2 of the Mozilla policy > that clarifies the audit requirements for new subCA certificates, as > follows: > > If the subordinate CA has a currently valid audit report at the time of >> creation of the certificate, it MUST appear on the subordinate CA's next >> periodic audit reports. >> > > - Wayne > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy