On Thu, Mar 11, 2021 at 12:01 AM pfuen...--- via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > In summary, my understanding is that we can ignore that illustrative control > of the Webtrust Criteria and that the community is cool with these > subordinations of CAs with stronger keys (same or different algorithm).
Illustrative controls in WebTrust are not the principles and criteria, which are the requirements. Illustrative controls are just examples of things that CAs _might_ choose to do. They might also choose to do different things, which is fine as long as the things they do meet the criteria. As you read through the WebTrust Principles and Criteria for Certification Authorities, you should also note that some principles and some criteria are notated with "if supported" or "if applicable". Not having controls that cover these is also usually fine, as long as you disclose that you do not do them. For example, many CAs in the Mozilla program do not issue Integrated Circuit Cards (also called "smart cards"), so WebTrust for CAs criteria 5.3 is not applicable; instead the management assertion can simply state that the CA does not issue ICCs. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy