On Tue, Oct 8, 2019 at 10:04 AM Corey Bonnell via dev-security-policy < [email protected]> wrote:
> Unless I found a root that Ryan isn’t referring to, Mozilla Policy 2.1 ( > https://wiki.mozilla.org/CA:CertificatePolicyV2.1) would have been in > force when the root was first issued, so BR compliance would be mandatory > from a Mozilla policy standpoint. Correct. It sounds like you've identified the same (recently added) root, which was issued during Policy 2.1. That is, the BR-violating self-signed version was created 2014-12, added to Mozilla in 2018-10, and the BR-violating cross-signs created 2019-02 and 2019-06. As it sounds like there's at least a consistent view that this is BR violating, I left a comment on the Inclusion Bug, https://bugzilla.mozilla.org/show_bug.cgi?id=1390803#c27 , to ask Wayne and Kathleen how they'd like to proceed. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
