<div dir="ltr"><div>All,</div><div>I have started a proceeding to modify the
Mozilla Root Store Policy
(MRSP), including MRSP Section 5.3 to require disclosure in the CCADB of technically constrained CAs. See e.g. <a href="https://github.com/mozilla/pkipolicy/pull/229">https://github.com/mozilla/pkipolicy/pull/229</a> and <a href="https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XaW1o8JRme4/m/NUOAyHSKAAAJ">https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XaW1o8JRme4/m/NUOAyHSKAAAJ</a>. The Baseline Requirements define "Technically Constrained Subordinate CA Certificate" as "A Subordinate CA certificate which uses a combination of Extended Key Usage settings and Name Constraint settings to limit the scope within which the Subordinate CA Certificate may issue Subscriber or additional Subordinate CA Certificates." (Section 5.3.1 of the MRSP contains a similar definition.) I don't believe that this proposed change will require an amendment to the Baseline Requirements. However, please let me know if you see any issues or if you believe this group needs to take any action related to such change.<br></div><div>Thanks,</div><div>Ben<br></div><div><br></div><div><br></div></div>