[cabfpub] Urgent: BR Exceptions for Subordinate CA Certificates

Kathleen Wilson kwilson at mozilla.com
Thu Oct 31 20:29:44 UTC 2013

On 10/31/13 1:22 PM, Rick Andrews wrote:
>> 2) As a fallback to option 1, reissue an identical cross-signed
>> certificate with a later expiration date. This would mean no name
>> constraints - i.e. a temporary dispensation from the BRs. Mozilla is
>> not
>> requiring technical constraint until May 15th, 2014, so we propose that
>> expiry date. This time frame will allow for further careful discussion
>> of long-term solutions.
> Kathleen, can you clarify the statement above about temporary dispensation? Neither the BRs nor Mozilla's policy requires Name Constraints. Constraints are required only when the issuing CA isn't audited. So if they can't use Name Constraints, can they submit to an audit?
> -Rick

BIT has chosen the technical constraints option for the cross-cert. 
BIT's old CA hierarchy had been getting audited, but they have stopped 
getting the CA hierarchy audited, because they decided to focus their 
audit resources on the PKI containing the new roots. The cross-cert is 
for BIT's old CA hierarchy, to enable smooth transition to their new CA 


More information about the Public mailing list