[cabfpub] Urgent: BR Exceptions for Subordinate CA Certificates

Rick Andrews Rick_Andrews at symantec.com
Thu Oct 31 20:22:34 UTC 2013

> 2) As a fallback to option 1, reissue an identical cross-signed
> certificate with a later expiration date. This would mean no name
> constraints - i.e. a temporary dispensation from the BRs. Mozilla is
> not
> requiring technical constraint until May 15th, 2014, so we propose that
> expiry date. This time frame will allow for further careful discussion
> of long-term solutions.

Kathleen, can you clarify the statement above about temporary dispensation? Neither the BRs nor Mozilla's policy requires Name Constraints. Constraints are required only when the issuing CA isn't audited. So if they can't use Name Constraints, can they submit to an audit?


More information about the Public mailing list