[Servercert-wg] Disclosure of Technically Constrained CAs in the CCADB
Ben Wilson
bwilson at mozilla.com
Tue Aug 24 16:58:51 UTC 2021
All,
I have started a proceeding to modify the Mozilla Root Store Policy (MRSP),
including MRSP Section 5.3 to require disclosure in the CCADB of
technically constrained CAs. See e.g.
https://github.com/mozilla/pkipolicy/pull/229 and
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XaW1o8JRme4/m/NUOAyHSKAAAJ.
The Baseline Requirements define "Technically Constrained Subordinate CA
Certificate" as "A Subordinate CA certificate which uses a combination of
Extended Key Usage settings and Name Constraint settings to limit the scope
within which the Subordinate CA Certificate may issue Subscriber or
additional Subordinate CA Certificates." (Section 5.3.1 of the MRSP
contains a similar definition.) I don't believe that this proposed change
will require an amendment to the Baseline Requirements. However, please let
me know if you see any issues or if you believe this group needs to take
any action related to such change.
Thanks,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210824/56ceb6a3/attachment.html>
More information about the Servercert-wg
mailing list