Confirmed users, Administrators
5,526
edits
CA:CertificatePolicyV2.3: Difference between revisions
→Approved
| Line 35: | Line 35: | ||
=== Approved === | === Approved === | ||
The following changes have been discussed in the mozilla.dev.security.policy forum, and '''need to be made''' to the [https://github.com/mozilla/ca-policy DRAFT of version 2.3 of the policy in GitHub]. | The following changes have been discussed in the mozilla.dev.security.policy forum, and '''need to be made''' to the [https://github.com/mozilla/ca-policy DRAFT of version 2.3 of the policy in GitHub]. | ||
* Refer to BRs for Name Constraints Requirement | * [https://groups.google.com/d/msg/mozilla.dev.security.policy/QJ2HypQRvxA/TeNM5Pk6BAAJ Refer to BRs for Name Constraints Requirement] | ||
** (D23) Simplify item #9 of the Inclusion Policy by using Baseline Requirements #9.7, "Technical Constraints in Subordinate CA Certificates via Name Constraints & EKU". | ** (D23) Simplify item #9 of the Inclusion Policy by using Baseline Requirements #9.7, "Technical Constraints in Subordinate CA Certificates via Name Constraints & EKU". | ||
** (D2) [https://www.cabforum.org/documents.html CA/Browser Forum Baseline Requirements] version 1.1.6 added a requirement regarding technically constraining subordinate CA certificates, so item #9 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] may refer to the BR for details about how to technically constrain a subordinate CA certificate that can sign SSL certs. | ** (D2) [https://www.cabforum.org/documents.html CA/Browser Forum Baseline Requirements] version 1.1.6 added a requirement regarding technically constraining subordinate CA certificates, so item #9 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] may refer to the BR for details about how to technically constrain a subordinate CA certificate that can sign SSL certs. | ||