All,
I have narrowed down the potential issues to be addressed in the version 3.0 batch of changes needed in the Mozilla Root Store Policy (MRSP), as indicated at https://github.com/mozilla/pkipolicy/labels/3.0. However, I am open to any new suggestions. Here is the list of issues slated to be addressed:
Issue # |
Description |
MRSP § 3.3 - CPs/CPSes must follow the common outline of section 6 of RFC 3647 and “contain no sections that are entirely blank, having no text or subsections” |
|
MRSP § 2.4 -Initial incident reports should be filed as soon as possible but no later than 72 hours after discovery and full incident reports must be posted within two weeks of the incident. This is meant to be consistent with the CCADB Policy on incident reports- https://www.ccadb.org/cas/incident-report. |
|
MRSP §§ 3 and 7.1 - Put greater emphasis on the need for period-of-time audits. |
|
MRSP § 6 - Address delayed revocation of TLS server certificates (to what extent does the policy need to address delayed revocation of S/MIME certificates?) |
|
MRSP § 2 or 2.3 - Reference certificate linting requirements (a la the CA/Browser Forum’s TLS Baseline Requirements) and does the policy need to address linting of S/MIME certificates? See https://github.com/cabforum/smime/issues/212) |
|
MRSP §§ 1-7 - Phase out dual-purpose (TLS / S/MIME) root CAs (Needs to specify a cut-off date for when root certificate inclusion applications cannot be for both trust bits) |
|
MRSP § 5.1 - Add P-521 as supported |
I will start tracking edits for these proposed changes in GitHub (no edits there yet).
Please let me know if other items should be added to this batch of changes.
I will start a separate discussion here on each of the issues as listed above, but until I do, feel free to make comments here or in GitHub.
Thanks,
Ben