[cabfpub] Misissuance of certificates

Jeremy Rowley jeremy.rowley at digicert.com
Mon Jan 18 17:44:40 UTC 2016

Are you sure about this?  I don't think that's clear (and is one of the
reasons I've been trying to change the scope of the doc).

>From 1.1: "These Requirements only address Certificates intended to be used
for authenticating servers accessible through the Internet." 

If they aren't intended for authenticating servers accessible through the
Internet, the BRs don't apply (except where this is broadened by the Trust
Store Operator's policy).

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Sigbjørn Vik
Sent: Monday, January 18, 2016 4:59 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates

On 15-Jan-16 20:01, Eneli Kirme wrote:
> Hi again,
> We would like to clarify a bit about scope vs compliance. Can it be, 
> that
> 1) Under root participating in root programs there’s a subordinate 
> that issues certificates which are out of scope of BR-s (i.e. not 
> intended for public web server authentication)?

No. The current understanding of the scope is all certificates chaining to a
root embedded in public browsers. A CA can choose itself which roots are in
scope, but not individual certificates.

Sigbjørn Vik
Opera Software
Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160118/a94c5658/attachment-0001.p7s>

More information about the Public mailing list