Revocation reasons - different requirements in MRSP vs Wiki
瀏覽次數:128 次
跳到第一則未讀訊息
Jacob Hoffman-Andrews
2022年5月19日 下午3:07:262022/5/19
收件者:dev-secur...@mozilla.org
Working on an update to our Subscriber Agreement, I noticed this text on the wiki:
https://wiki.mozilla.org/CA/Revocation_Reasons#Communication_to_Subscribers
> The Subscriber Agreement or Terms of Use MUST contain provisions imposing on the Applicant itself (or made by the Applicant on behalf of its principal or agent under a subcontractor or hosting service relationship) an obligation and warranty to specify the following revocation reasons when they are applicable to the reason that the subscriber is requesting that their certificate be revoked.
Compare with MRSP:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#611-end-entity-tls-certificate-crlrevocation-reasons
> The CA operator's subscriber agreement for TLS end entity certificates MUST inform certificate subscribers about the revocation reason options listed above and provide explanation about when to choose each option.
Note the difference: wiki says "MUST impose obligation and warranty;" MRSP says "MUST inform."
I'm assuming the MRSP is more up to date and is what we should follow.
But this raises a question: the wiki page contains a few normative requirements (all-caps MUST) that are not direct quotations. Should we consider those to be incorporated into the MRSP by reference? If so, we would have to follow the more stringent requirements from the wiki.
https://wiki.mozilla.org/CA/Revocation_Reasons#Communication_to_Subscribers
> The Subscriber Agreement or Terms of Use MUST contain provisions imposing on the Applicant itself (or made by the Applicant on behalf of its principal or agent under a subcontractor or hosting service relationship) an obligation and warranty to specify the following revocation reasons when they are applicable to the reason that the subscriber is requesting that their certificate be revoked.
Compare with MRSP:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#611-end-entity-tls-certificate-crlrevocation-reasons
> The CA operator's subscriber agreement for TLS end entity certificates MUST inform certificate subscribers about the revocation reason options listed above and provide explanation about when to choose each option.
Note the difference: wiki says "MUST impose obligation and warranty;" MRSP says "MUST inform."
I'm assuming the MRSP is more up to date and is what we should follow.
But this raises a question: the wiki page contains a few normative requirements (all-caps MUST) that are not direct quotations. Should we consider those to be incorporated into the MRSP by reference? If so, we would have to follow the more stringent requirements from the wiki.
Kathleen Wilson
2022年5月19日 下午3:27:472022/5/19
收件者:dev-secur...@mozilla.org、js...@letsencrypt.org
On Thursday, May 19, 2022 at 12:07:26 PM UTC-7 js...@letsencrypt.org wrote:
Working on an update to our Subscriber Agreement, I noticed this text on the wiki:
https://wiki.mozilla.org/CA/Revocation_Reasons#Communication_to_Subscribers
...
But this raises a question: the wiki page contains a few normative requirements (all-caps MUST) that are not direct quotations. Should we consider those to be incorporated into the MRSP by reference? If so, we would have to follow the more stringent requirements from the wiki.
Jacob, Thanks for bringing this to my attention. I will update the wiki page to remove the all-caps (normative) requirements. The wiki page is intended to clarify MRSP requirements (not introduce more stringent requirements).
Thanks,
Kathleen
回覆所有人
回覆作者
轉寄
0 則新訊息