[Kathleen, Gerv, Wayne: Please correct me if this post misrepresents
Mozilla's policy and/or current expectations. Thanks!]
Mozilla Root Store Policy v2.5 section 5.3.1 [1] permitted the
non-disclosure (and, IINM, non-audit) of certain
non-technically-constrained id-kp-emailProtection intermediate
certificates...until yesterday:
"Instead of complying with the above paragraph, intermediate
certificates issued before 22nd June 2017 may, until 15th January 2018..."
According to [2], there are currently 223 non-technically-constrained
intermediate certificates known to crt.sh that chain to an NSS built-in
root (that has the Email trust bit set) and are capable of issuing
id-kp-emailProtection certificates but not id-kp-serverAuthentication
certificates.
IIUC, the Mozilla policy now requires these intermediate certificates to
have already been disclosed to the CCADB and to be audited.
[1]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#technically-constrained
[2]
https://crt.sh/mozilla-disclosures#undisclosed
[3]
https://crt.sh/mozilla-disclosures#undisclosedsummary
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online