In the definition of EV TLS Capable, I'd move the last bullet up to the top.
This is because the definition is inherently recursive, and it's easy to miss that if the recursion rule isn't first. For example, I had a question about whether "revoked" meant just the certificate itself, or whether a revoked parent (etc) also qualifies. But the ambiguity goes away once you realize that the parent/cross/etc also needs to be EV TLS Capable, hence not revoked. -Tim > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> > On Behalf Of Kathleen Wilson via dev-security-policy > Sent: Thursday, November 5, 2020 7:28 PM > To: Mozilla <mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy > Constraints > > On 10/16/20 11:26 PM, Ryan Sleevi wrote: > > Because of this, it seems that there is a simpler, clearer, > > unambiguous path for CAs that seems useful to move to: > > - If a CA is trusted for purpose X, that certificate, and all > > subordinate CAs, should be audited against the criteria relevant for X > > > > I am in favor of this approach for a future version of Mozilla's Root Store > Policy, but I prefer not to try to tackle it in this v2.7.1 update. So I filed a > github issue to remind us to consider this in the next version: > > https://github.com/mozilla/pkipolicy/issues/220 > > > I have added a section called "EV TLS Capable" to the wiki pages, and I will > appreciate feedback on it: > > https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable > > For this MRSP Issue #152 update to v2.7.1, I propose that we make each > occurrence of "capable of issuing EV certificates" link to > https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable > > Thanks, > Kathleen > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy