[cabfpub] Which CAs must be audited

Peter Bowen pzb at amzn.com
Sun Apr 30 10:25:50 MST 2017


Of course I missed a key step.  If there is an EKU extension, check to see if it contains the anyEKU KP.  If so, then go to the pathLen check.  Otherwise check for specific KPs.

> On Apr 30, 2017, at 9:27 AM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> 
> Lol at the IPv4 and IPv6 part.
>   <>
> From: Public [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>] On Behalf Of Peter Bowen via Public
> Sent: Sunday, April 30, 2017 8:53 AM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org>>
> Cc: Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com>>
> Subject: [cabfpub] Which CAs must be audited
>  
> Over on the mozilla.dev.security.policy list, there was some confusion about which subordinate CAs need to have audits.
>  
> I’ve put together two flow charts to help document what I think has been said on that list.  I tried to merge info from both the Mozilla and Microsoft policies, so I might be a little off.
>  
> The one place where this does differ from current Mozilla policy is that it has disclosure of technically constrained CA certificates themselves.  This is proposed for Mozilla but not yet required.
>  
> Anyone see errors?
>  
> Thanks,
> Peter
>  
> <image001.png>
>  
> <image002.jpg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170430/c0fad18d/attachment.html>


More information about the Public mailing list