Confirmed users, Administrators
5,526
edits
CA/CertificatePolicyV2.1: Difference between revisions
Jump to navigation
Jump to search
→Frequently Asked Questions
| Line 73: | Line 73: | ||
#* For each subordinate CA certificate that is being phased out and is in 'CRL/OCSP only' mode, please provide the following information: Name of SubCA (optional), SubCA Cert Hash (SHA1 or SHA256), SubCA Cert Subject Key Identifier, SubCA Cert Serial Number, Date of Last Cert Issuance, Date of Last Cert Expiration. | #* For each subordinate CA certificate that is being phased out and is in 'CRL/OCSP only' mode, please provide the following information: Name of SubCA (optional), SubCA Cert Hash (SHA1 or SHA256), SubCA Cert Subject Key Identifier, SubCA Cert Serial Number, Date of Last Cert Issuance, Date of Last Cert Expiration. | ||
# What about [https://tools.ietf.org/html/rfc6962 Certificate Transparency] Precertificate Signing Certificates? | # What about [https://tools.ietf.org/html/rfc6962 Certificate Transparency] Precertificate Signing Certificates? | ||
#* A Precertificate Signing Certificate with an EKU extension with '''only''' the Certificate Transparency OID 1.3.6.1.4.1.11129.2.4.4 is considered technically constrained according to section 9 of Mozilla's CA Certificate Policy. The certificate's EKU extension must '''not''' include any of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth, id-kp-emailProtection, id-kp-codeSigning. | #* A Precertificate Signing Certificate with an EKU extension with '''only''' the Certificate Transparency OID 1.3.6.1.4.1.11129.2.4.4 is considered technically constrained according to section 9 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Policy]. The certificate's EKU extension must '''not''' include any of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth, id-kp-emailProtection, id-kp-codeSigning. | ||