- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Mon, 6 Apr 2015 10:05:38 -0700
- To: Brad Hill <hillbrad@gmail.com>
- Cc: noloader@gmail.com, "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Monday, 6 April 2015 17:06:07 UTC
I echo Brad's suggestion to take this concern to Mozilla's security policy group. Issuing unconstrained and un-audited sub-CA certs would violate Mozilla's certificate policy (see section 8 of https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/). The press release doesn't actually say such certs would be unconstrained and GeoTrust should be well aware of these requirements, but it doesn't hurt to follow-up and make sure. -Dan Veditz
Received on Monday, 6 April 2015 17:06:07 UTC