[cabfpub] Urgent: BR Exceptions for Subordinate CA Certificates
Kathleen Wilson
kwilson at mozilla.com
Thu Oct 31 20:29:44 UTC 2013
On 10/31/13 1:22 PM, Rick Andrews wrote:
>> 2) As a fallback to option 1, reissue an identical cross-signed
>> certificate with a later expiration date. This would mean no name
>> constraints - i.e. a temporary dispensation from the BRs. Mozilla is
>> not
>> requiring technical constraint until May 15th, 2014, so we propose that
>> expiry date. This time frame will allow for further careful discussion
>> of long-term solutions.
> Kathleen, can you clarify the statement above about temporary dispensation? Neither the BRs nor Mozilla's policy requires Name Constraints. Constraints are required only when the issuing CA isn't audited. So if they can't use Name Constraints, can they submit to an audit?
>
> -Rick
BIT has chosen the technical constraints option for the cross-cert.
BIT's old CA hierarchy had been getting audited, but they have stopped
getting the CA hierarchy audited, because they decided to focus their
audit resources on the PKI containing the new roots. The cross-cert is
for BIT's old CA hierarchy, to enable smooth transition to their new CA
hierarchy.
Thanks,
Kathleen
More information about the Public
mailing list