On Thu, Oct 31, 2019 at 7:20 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> 2) Summarized: ALV tries to find a match in the Audit Letter for the > SHA256 thumbprint that is sent by CCADB. Listing thumbprints that were > out of scope within an audit letter could cause ALV to produce > inaccurate results. It would be good to state that audit letters MUST > NOT contain the SHA-256 thumbprints for certs that were out of scope. > Thanks. I think it's preferable to avoid that MUST NOT for now, at least within the CCADB policy. I think it may potentially portend requiring separate audit letters for different root stores. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy