I created a PR on Github to enforce the disclosure of TCSC to CCADB: Disclose also TCSC to CCADB by RufusJWB · Pull Request #229 · mozilla/pkipolicy (github.com) <https://github.com/mozilla/pkipolicy/pull/229> . You might want to consider this for the next release for the root store policy.
/Rufus Rufus Buschart schrieb am Mittwoch, 28. Juli 2021 um 10:09:58 UTC+2: > > From: Ben Wilson <[email protected]> > > Sent: Dienstag, 27. Juli 2021 19:10 > >> On Tue, Jul 27, 2021 at 10:12 AM Dimitris Zacharopoulos <mailto: > [email protected]> wrote: > > > >> It is quite possible that you have identified HARICA as the CA with > most technically constrained subCAs > >> because we decided to disclose our TCSC Certificate in CCADB although > the current Mozilla Policy does > >> not require it. It's very likely that other CAs have TCSCs that have > not been disclosed and could have a > >> different approach from HARICA. > > > > Maybe Section 5.3 of the Mozilla Root Store Policy should be amended to > require disclosure in the > > CCADB of TCSC Certificates, especially now that other root stores rely > on the CCADB? > > > > Ben > > Until this email I wasn't even aware that there is such an exception for > TCSC. Yes, I would support this > Proposal and I would propose to enforce this disclosure for all sub CAs > chaining to a Mozilla trusted root, > regardless of the EKU / KU. > > With best regards, > Rufus Buschart > > Siemens AG > Information Technology > Infrastructure > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ff5e404a-4d8e-4bbf-94a4-ab1d065d4f7bn%40mozilla.org.
