[cabfpub] Misissuance of certificates

Doug Beattie doug.beattie at globalsign.com
Mon Nov 9 16:42:11 UTC 2015


Ryan,

 

I’m not following your statement that “If a cert transitively chains to a publicly trusted root, it should be public, technically constrained subordinate CA notwithstanding.”

 

Mozilla requires the CA certificates to be publically disclosed, but I haven’t found anything saying that all SSL certificates under a CA (technically constrained or not) need to be publically disclosed.  Audited, yes.  Did I miss something in one of the Root policies or the BRs that says all SSL certificates need to be publically disclosed?

 

Doug

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Monday, November 9, 2015 9:16 AM
To: Dean Coclin <Dean_Coclin at symantec.com>
Cc: public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates

 

 

 

On Mon, Nov 9, 2015 at 5:29 AM, Dean Coclin <Dean_Coclin at symantec.com <mailto:Dean_Coclin at symantec.com> > wrote:

Sig,

You made a statement in another email which, if I'm remembering correctly, said something like this: If a cert is issued from a public root, for public domains, for use by the public, then its contents is automatically public.

 

If a cert transitively chains to a publicly trusted root, it should be public, technically constrained subordinate CA notwithstanding.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151109/29cef2fa/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4289 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151109/29cef2fa/attachment-0001.p7s>


More information about the Public mailing list