Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Policy 2.4 Proposal: Make clear that duplicate serial numbers are OK when supporting CT

92 views
Skip to first unread message

Gervase Markham

unread,
Nov 30, 2016, 4:32:13 PM11/30/16
to mozilla-dev-s...@lists.mozilla.org
At least for RFC 6962 (-bis is a different issue), pre-certs are certs
and so the duplication of (issuer name, serial number) between the
pre-cert and the cert is technically a violation of Mozilla policy; we
reserve the right not to include CAs who issue certs with "duplicate
issuer names and serial numbers".

We should make it clear that this is OK in the CT case. I propose the
following change:

duplicate issuer names and serial numbers;

->

duplicate issuer names and serial numbers (except that a Certificate
Transparency pre-certificate is allowed to match the corresponding
certificate);

This is: https://github.com/mozilla/pkipolicy/issues/41

-------

This is a proposed update to Mozilla's root store policy for version
2.4. Please keep discussion in this group rather than on Github. Silence
is consent.

Policy 2.3 (current version):
https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates

Gervase Markham

unread,
Dec 8, 2016, 3:07:58 PM12/8/16
to mozilla-dev-s...@lists.mozilla.org
On 30/11/16 11:31, Gervase Markham wrote:
> We should make it clear that this is OK in the CT case. I propose the
> following change:

Result: resolved as specified.

Gerv
0 new messages