In the definition of EV TLS Capable, I'd move the last bullet up to the top.

This is because the definition is inherently recursive, and it's easy to
miss that 
if the recursion rule isn't first.

For example, I had a question about whether "revoked" meant just the
certificate
itself, or whether a revoked parent (etc) also qualifies.  But the ambiguity
goes 
away once you realize that the parent/cross/etc also needs to be EV TLS
Capable, 
hence not revoked.

-Tim

> -----Original Message-----
> From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org>
> On Behalf Of Kathleen Wilson via dev-security-policy
> Sent: Thursday, November 5, 2020 7:28 PM
> To: Mozilla <mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for
Policy
> Constraints
> 
> On 10/16/20 11:26 PM, Ryan Sleevi wrote:
> > Because of this, it seems that there is a simpler, clearer,
> > unambiguous path for CAs that seems useful to move to:
> > - If a CA is trusted for purpose X, that certificate, and all
> > subordinate CAs, should be audited against the criteria relevant for X
> >
> 
> I am in favor of this approach for a future version of Mozilla's Root
Store
> Policy, but I prefer not to try to tackle it in this v2.7.1 update.  So I
filed a
> github issue to remind us to consider this in the next version:
> 
> https://github.com/mozilla/pkipolicy/issues/220
> 
> 
> I have added a section called "EV TLS Capable" to the wiki pages, and I
will
> appreciate feedback on it:
> 
> https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable
> 
> For this MRSP Issue #152 update to v2.7.1, I propose that we make each
> occurrence of "capable of issuing EV certificates" link to
> https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable
> 
> Thanks,
> Kathleen
> 
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to