On Thu, Oct 31, 2019 at 7:20 PM Kathleen Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> 2) Summarized: ALV tries to find a match in the Audit Letter for the
> SHA256 thumbprint that is sent by CCADB. Listing thumbprints that were
> out of scope within an audit letter could cause ALV to produce
> inaccurate results. It would be good to state that audit letters MUST
> NOT contain the SHA-256 thumbprints for certs that were out of scope.


I think it's preferable to avoid that MUST NOT for now, at least within the
CCADB policy. I think it may potentially portend requiring separate audit
letters for different root stores.
dev-security-policy mailing list

Reply via email to