Sometimes, CAs apply for inclusion with new, clean roots. Other times, CAs apply to include roots which already have a history of issuance. The previous certs issued by that CA aren't always all BR-compliant. Which is in one sense understandable, because up to this point the CA has not been bound by the BRs. Heck, the CA may never even have heard of the BRs until they come to apply - although this seems less likely than it would once have been.
What should our policy be regarding BR compliance for certificates issued by a root requesting inclusion, which were issued before the date of their request? Do we: A) Require all certs be BR-compliant going forward, but grandfather in the old ones; or B) Require that any non-BR-compliant old certs be revoked; or C) Require that any seriously (TBD) non-BR-compliant old certs be revoked; or D) something else? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
