Re: Policy 2.6 Proposal: Remove temporary exception for unconstrained email subordinates
Hearing no objections, I've added this change to the 2.6 branch: https://github.com/mozilla/pkipolicy/commit/5490d165f0d9b55cb75e5851303a21f9a250e199 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.6 Proposal: Remove temporary exception for unconstrained email subordinates
I support this change On Mon, Mar 19, 2018 at 6:25 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > This new version of the policy won’t be completed until after 15-April, > which is the revised deadline for disclosure and auditing of unconstrained > email subordinates. I propose removal of the following exception from > section 5.3.1: > > Instead of complying with the above paragraph, intermediate certificates > > issued before 22nd June 2017 may, until 15th January 2018, comply with > the > > following paragraph: > > > > If the certificate includes the id-kp-emailProtection extended key usage, > > then all end-entity certificates MUST only include e-mail addresses or > > mailboxes that the issuing CA has confirmed (via technical and/or > business > > controls) that the subordinate CA is authorized to use. > > > > This is: https://github.com/mozilla/pkipolicy/issues/120 > > --- > > This is a proposed update to Mozilla's root store policy for version > 2.6. Please keep discussion in this group rather than on GitHub. Silence > is consent. > > Policy 2.5 (current version): > https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Policy 2.6 Proposal: Remove temporary exception for unconstrained email subordinates
This new version of the policy won’t be completed until after 15-April, which is the revised deadline for disclosure and auditing of unconstrained email subordinates. I propose removal of the following exception from section 5.3.1: Instead of complying with the above paragraph, intermediate certificates > issued before 22nd June 2017 may, until 15th January 2018, comply with the > following paragraph: > > If the certificate includes the id-kp-emailProtection extended key usage, > then all end-entity certificates MUST only include e-mail addresses or > mailboxes that the issuing CA has confirmed (via technical and/or business > controls) that the subordinate CA is authorized to use. > This is: https://github.com/mozilla/pkipolicy/issues/120 --- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy