I can't speak for the BRs, but I think root programs have considered this, and have discouraged it in the absence of strong technically-enforcable controls (e.g. being technically prevented from TLS certificates). Some root programs have gone to a further extreme, and suggested that no divergence is permitted in the CP/CPS (e.g. separate "root" per use case).
While they may operate on similar setups and configurations, given the risk to clients, I think CAs should take steps to segment their hierarchies on a real and technical level (e.g. no cross-pollination of keys and certificates). On Mon, Feb 4, 2019 at 5:38 PM Pedro Fuentes via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Thanks Wayne. > > Definitely, these things, the less left to interpretation, the better... I > personally think BR should consider the fact that under a Root there can be > different certificate policies, because as you say the strict reading of BR > implies that suspension is forbidden also for certificates out of the scope > of BR. > > Best, > Pedro > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
