CA:CertificatePolicyV2.3: Difference between revisions

CA:CertificatePolicyV2.3 (view source)

Revision as of 19:22, 18 November 2015

726 bytes removed , 18 November 2015

→‎Proposed Changes Currently in Discussion

Kathleen Wilson

Confirmed users, Administrators

5,526

edits

@@ Line 53: / Line 53: @@
 The following changes are currently under discussion in the mozilla.dev.security.policy forum.
 * [https://groups.google.com/d/msg/mozilla.dev.security.policy/U7DMI67L7PY/d0FFjA9KBAAJ Align policy with RFC 3647 now]
-* [https://groups.google.com/d/msg/mozilla.dev.security.policy/QJ2HypQRvxA/R3JzEk9iAgAJ Refer to BRs for Name Constraints Requirement]
+* [https://groups.google.com/d/msg/mozilla.dev.security.policy/QJ2HypQRvxA/R3JzEk9iAgAJ Timeline for disclosing new subCAs]
-** (D23) Simplify item #9 of the Inclusion Policy by using Baseline Requirements #9.7, "Technical Constraints in Subordinate CA Certificates via Name Constraints & EKU".
-** (D2) [https://www.cabforum.org/documents.html CA/Browser Forum Baseline Requirements] version 1.1.6 added a requirement regarding technically constraining subordinate CA certificates, so item #9 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] may refer to the BR for details about how to technically constrain a subordinate CA certificate that can sign SSL certs.
-* [https://groups.google.com/d/msg/mozilla.dev.security.policy/EDRp1Fil3u8/ub33LOoDAgAJ Timeline for disclosing new subCAs]
 **  (D3) Make the timeline clear about when the audit statements and disclosure has to happen for new audited/disclosed subCAs. According to section 8.1 of version 1.3 of the Baseline Requirements, pre-issuance Readiness Audit is to be done before the SubCA begins issuing publicly-trusted certs. Then a complete audit is due within 90 days of issuing the first publicly-trusted cert.
 * [https://groups.google.com/d/msg/mozilla.dev.security.policy/smAUN2Rtc78/T5rEAFmMAwAJ Key Sizes]