MRSP 3.0: Candidate Issues for MRSP v. 3.0

606 views
Skip to first unread message

Ben Wilson

unread,
Oct 2, 2024, 1:44:10 PMOct 2
to dev-secur...@mozilla.org

All,

I have narrowed down the potential issues to be addressed in the version 3.0 batch of changes needed in the Mozilla Root Store Policy (MRSP), as indicated at https://github.com/mozilla/pkipolicy/labels/3.0. However, I am open to any new suggestions. Here is the list of issues slated to be addressed:

Issue #

Description

263

MRSP § 3.3 - CPs/CPSes must follow the common outline of section 6 of RFC 3647 and “contain no sections that are entirely blank, having no text or subsections”

270 and 271

MRSP § 2.4 -Initial incident reports should be filed as soon as possible but no later than 72 hours after discovery and full incident reports must be posted within two weeks of the incident. This is meant to be consistent with the CCADB Policy on incident reports- https://www.ccadb.org/cas/incident-report.

275

MRSP §§ 3 and 7.1 - Put greater emphasis on the need for period-of-time audits.

276

MRSP § 6 - Address delayed revocation of TLS server certificates (to what extent does the policy need to address delayed revocation of S/MIME certificates?)

278

MRSP § 2 or 2.3 - Reference certificate linting requirements (a la the CA/Browser Forum’s TLS Baseline Requirements) and does the policy need to address linting of S/MIME certificates? See https://github.com/cabforum/smime/issues/212

279

MRSP §§ 1-7 - Phase out dual-purpose (TLS / S/MIME) root CAs (Needs to specify a cut-off date for when root certificate inclusion applications cannot be for both trust bits)

281

MRSP § 5.1 - Add P-521 as supported

 

I will start tracking edits for these proposed changes in GitHub (no edits there yet).

Please let me know if other items should be added to this batch of changes.

I will start a separate discussion here on each of the issues as listed above, but until I do, feel free to make comments here or in GitHub.

Thanks,

Ben

Ben Wilson

unread,
Oct 7, 2024, 1:07:39 PMOct 7
to dev-secur...@mozilla.org
All,
Please also consider the addition of GitHub Issue #283 to the list of issues that we would like to address in MRSP v. 3.0. Under Issue #283, we would edit section 7.1 of the MRSP to state that a CA operator filing for inclusion of a new root CA certificate must support at least one automated method of certificate issuance for each type of TLS certificate (EV, OV, DV, IV) that the CA issues. 
Thanks,
Ben
Reply all
Reply to author
Forward
0 new messages