BenWilson-Mozilla
commented
2 years ago Issue resolved with lines 594-597 of https://github.com/BenWilson-Mozilla/pkipolicy/commit/0c4201a2cfab4a68f82c99f4efcdc5bd14bf4785
Closed BenWilson-Mozilla closed 2 years ago
BenWilson-Mozilla
commented
2 years ago Issue resolved with lines 594-597 of https://github.com/BenWilson-Mozilla/pkipolicy/commit/0c4201a2cfab4a68f82c99f4efcdc5bd14bf4785
The second sentence in section 5.2 says, "CA operators MUST maintain a certificate hierarchy such that the included certificate does not directly issue end-entity certificates to customers (i.e. the included certificate signs intermediate issuing certificates), as described in section 6.1.7 of the Baseline Requirements." However, section 6.1.7 of the BRs is addressing self-signed "root certificates," not "included certificates". Some "included certificates" could be strictly issuing CAs under a root that is not an "included certificate" (e.g. under a Super CA, where the issuing CA has a pathlength of 0). In that case, the above language is not accurate - the included certificate would be allowed to issue end-entity certificates. So, one way to revise this would be for the sentence to add the word "root" as in, "the included root certificate."