The required practice "Publicly Available CP and CPS" [1] states:
The CP/CPS must clearly indicate which root and subordinate certificates > the practices and processes described in those documents apply to. This can be done in (at least) two ways: * the policy document can unambiguously list the specific CA certificates within its scope * the CA certificate can contain one or more policy OIDs that are referenced in the applicable policy documents I have found that many CP/CPSes don't clearly list the certificates that are in-scope, and the binding between policy OIDs in subordinate CA certificates and CP/CPSes is often unclear when the CA has multiple policy documents. My concern is that this could lead to situations where a CA can pick and choose policies to argue that a given certificate is compliant. However, BR section 7.1.2.3 already requires each end-entity certificate to include "A Policy Identifier, defined by the issuing CA, that indicates a Certificate Policy asserting the issuing CA's adherence to and compliance with these Requirements." I'm much more interested in compliance with the BRs and Mozilla policy than the CA's own CPS, so this mitigates my concern. Even though I don't think this is as important now that I've given it some thought, I propose moving the following required practice into section 3.3 "CPs and CPSes" of our policy: CPs and CPSes must clearly indicate which root and intermediate > certificates the practices and processes described in those documents apply > to. > This is https://github.com/mozilla/pkipolicy/issues/171 I will appreciate everyone's input on this proposal. - Wayne [1] https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Publicly_Available_CP_and_CPS _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
