[cabfpub] Urgent: BR Exceptions for Subordinate CA Certificates

Gervase Markham gerv at mozilla.org
Fri Nov 1 11:20:03 UTC 2013

On 31/10/13 23:19, Ryan Sleevi wrote:
> I'm a bit curious on this. If the leafs are signed by BIT's
> (cross-signed) root directly, why would a pathLen of 1 be necessary? A
> pathLen of 0 is all that is needed to support this practice.

AIUI: BIT currently issue EE certs directly from the self-signed
certificate that is cross-signed. Direct root issuance is no longer
permitted. This path length change would allow BIT to move on from
solving the immediate issue to solving this additional compliance issue
quickly. The plan was to end direct root issuance using the new PKI
subject to submission at Mozilla, but on discovery that the solution has
not taken effect, Verizon intend to enforce browser policy and require
BIT to solve the direct root issuance problem beginning directly after
the Saturday end-of-public-trust issue is resolved.

IOW, AIUI, Verizon want BIT to stop direct root issuance, and putting a
path length of 1 in the cert makes that technically possible.

> Are you suggesting that BIT is going to spin up a new intermediate and
> re-issue all their existing certs from this intermediate, rather than
> the root? This seems orthogonal to the presumed crisis at hand, but it
> just helps to understand why this may have been brought up.

Yes. They've been found to be out of compliance to current browser
policy due to delays in implementation of the communicated solution and
they intend to remedy this.


More information about the Public mailing list