All,
There is some confusion about disclosure of new intermediate certs that
are issued to subordinate CAs with currently valid audit statements.
Section 5.3.2 of Mozilla's Root Store Policy says: "If the CA has a
currently valid audit report at the time of creation of the certificate,
then the new certificate MUST appear on the CA's next periodic audit
reports."
I think it is reasonable to assume that the same policy applies to
subordinate CAs, such that if the subordinate CA has a currently valid
audit report at the time of creation of a new intermediate certificate,
then the new certificate MUST appear on the subordinate CA's next
periodic audit reports.
The confusion is about how to disclose such a new intermediate
certificate in the CCADB.
I propose that to handle this situation, the CA may enter the
subordinate CA's current audit statements and use the Public Comment
field to indicate that the new certificate will be included in the next
audit statements. (Also, a quick comparison of the cert's Valid-From
date and the audit period dates will indicate this situation.)
Please let me know if you foresee any problems with this approach.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
