timfromdigicert
commented
1 year ago Does this include CA certificates that are out of scope for Mozilla? Does a revoked document signing CA need to be uploaded?
Closed BenWilson-Mozilla closed 1 year ago
timfromdigicert
commented
1 year ago Does this include CA certificates that are out of scope for Mozilla? Does a revoked document signing CA need to be uploaded?
Per the discussion regarding uploading name-constrained CA certificates in the CCADB, see https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XM7hWqmqmPw/m/NntqsLbGAQAJ, section 5.3.2 of the Policy should mention unexpired, revoked CA certificates so that there is no confusion but that they need to be uploaded to the CCADB. We can discuss whether CAs "capable of issuing" "working" email certificates should remain included in this section.