Prioritization of Root CA Inclusion Requests
Ben Wilson
So https://wiki.mozilla.org/CA/Prioritization would be updated. For example,
could become
"P1 = High (Applicant has good compliance history and is replacing an already-included CA certificate or is previously approved as a subordinate CA operator)"
"3 - Replacing Existing (Existing CA operators that are replacing an already-included root certificate) https://wiki.mozilla.org/CA/Certificate_Change_Process "
could become
"3 - Replacing Existing (Existing CA operators that are replacing an already-included root certificate, https://wiki.mozilla.org/CA/Certificate_Change_Process, or is a previously approved subordinate CA operator who is requesting direct inclusion) "
Doug Beattie
Hi Ben,
Anything you can do to speed up/optimize the process and encourage CAs to roll out different roots for different purposes (TLS only Root, Email only Root, etc.), and to encourage more frequent roll-overs would be a good thing and you might get more adoption of that philosophy. I don’t know the list of factors is in order of importance, but if so, the moving #5 up might encourage more CAs to create roots dedicated for a single purpose. It certainly belongs ahead of #3.
Doug
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZJsfbiDo%3DKD90Rv_LwMOive5cFiMZC7%3DHVcaigkVTdqw%40mail.gmail.com.
Cynthia Revström
To me personally it would make the most sense if these requests would
be classed as high priority but not as high as replacing an
already-included cert.
So like P1.5/a new P2, I am not sure how much practical difference
this would make and if it is not a lot, then it is probably fine to
just add it to P1.
My thinking here is kinda that no real change in structure of CAs
should be higher (or equal) priority than replacing an
already-included CA cert.
I will admit that I am not overly familiar with the details of this
process and these are just my initial thoughts so take this input with
a grain of salt.
-Cynthia
Lahtiharju, Pekka
Hi Doug,
Is the described multi-root schema (different roots for different purposes) some kind of new best practice for CAs? So far Telia has used only one root for all purposes but should we now change that policy and start applications with several new roots? What is the reason for multi-root schema? Note! Some root programs like Oracle have specified that one member may have maximum three roots in their systems.
Best Regards
Pekka
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/PUZPR03MB6129902BAB45A42A2235DD5DF00F9%40PUZPR03MB6129.apcprd03.prod.outlook.com.
This email may contain information which is privileged or protected against unauthorized disclosure or communication. If you are not the intended recipient, please notify the sender and delete this message and any attachments from your system without producing, distributing or retaining copies thereof or disclosing its contents to any other person.
Telia Company processes emails and other files that may contain personal data in accordance with Telia Company’s Privacy Policy.
Moudrick M. Dadashov
Ryan Sleevi
Hi Doug,
Is the described multi-root schema (different roots for different purposes) some kind of new best practice for CAs? So far Telia has used only one root for all purposes but should we now change that policy and start applications with several new roots? What is the reason for multi-root schema? Note! Some root programs like Oracle have specified that one member may have maximum three roots in their systems.