On Mon, Apr 29, 2019 at 7:31 AM Peter Bowen <pzbo...@gmail.com> wrote:
> I support this, as long as Policy CAs meet the same operations standards > and have the same issuance restrictions as root CAs. This would result in > no real change to policy, as I assume roots not directly included in the > Mozilla root store were already considered “roots” for this part of the > policy. > > Section 5.3 already excludes "cross-certificates that share a private key with a corresponding root certificate" from the EKU requirement. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy