On Tue, Oct 8, 2019 at 10:04 AM Corey Bonnell via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Unless I found a root that Ryan isn’t referring to, Mozilla Policy 2.1 (
> https://wiki.mozilla.org/CA:CertificatePolicyV2.1) would have been in
> force when the root was first issued, so BR compliance would be mandatory
> from a Mozilla policy standpoint.

Correct. It sounds like you've identified the same (recently added) root,
which was issued during Policy 2.1. That is, the BR-violating self-signed
version was created 2014-12, added to Mozilla in 2018-10, and the
BR-violating cross-signs created 2019-02 and 2019-06.

As it sounds like there's at least a consistent view that this is BR
violating, I left a comment on the Inclusion Bug,
https://bugzilla.mozilla.org/show_bug.cgi?id=1390803#c27 , to ask Wayne and
Kathleen how they'd like to proceed.
dev-security-policy mailing list

Reply via email to