MRSP Policy v. 2.8.1 Finalization

[Ben Wilson]

All,

We are nearing the point where we will finalize version 2.8.1 of the Mozilla Root Store Policy.  Here is a GitHub comparison containing the proposed changes:

 

https://github.com/mozilla/pkipolicy/compare/e30d031a375927a3e0eadddf2fece4b2488f9c1e..f634a41671fe1319b1449a9ffe253449b380fcf9

Please provide any final comments.

Thanks,

Ben

[Kurt Seifried]

Where does discussion/creation of this policy take place? 

Also specific feedback:

RFC2119, instead of SHALL use MUST, it's more declarative and you don't have to read the RFC to realize SHALL == MUST:

1. MUST   This word, or the terms "REQUIRED" or "SHALL", mean that the
   definition is an absolute requirement of the specification.

With respect to adding the public@ list as required reading, there's no mention of signing up and issues around the anti-spam measures now. It might be worth noting that CA's SHOULD use their domain to make matching up the email to the company easier, but they can also use @gmail.com or whatever, and in this case they may need to take additional steps to prove they are acting on behalf of the CA they claim to be. 

Also the (wiki page? I can't find the link right now) of the list of people and who they represent (if any) for the mailing list, is that something the CA's should be filling out?

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab5QC5V1f%2BQHmpkPQ7B_7%3DY1E6OK6YMnOTbVzorcUSjyA%40mail.gmail.com.

--

Kurt Seifried (He/Him)
ku...@seifried.org

[Ben Wilson]

Hi Kurt,

As we work on enhancements to the Mozilla Root Store Policy, those changes or suggestions get logged in GitHub as issues. https://github.com/mozilla/pkipolicy/issues  They can get discussed there in GitHub.  Then, they are triaged and labeled for future releases.  E.g. https://github.com/mozilla/pkipolicy/labels/2.8.1.  Then the issues or potential changes are discussed in batch-form on this list, where I prefer discussion takes place once I announce a discussion of the issue number. I flag issue number and the future release's version number in the subject line. See https://groups.google.com/a/mozilla.org/g/dev-security-policy/search?q=subject%3A%222.8.1

Ben

[Ben Wilson]

Hi,

I haven't had anyone ask about the proposed effective date of this version 2.8.1.  I don't see any new requirements that would require lead time for CAs to implement. I should be ready to post this final version within the next two weeks. Does anyone see why an effective date couldn't be February 15, 2023?

Thanks,

Ben

[Aaron Gable]

Hi Ben,

No objection to a Feb 15th date from me, everything here looks good.

Aaron

To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZFG4h1zqq6iSU%3DtM9k9t0nh5ehBV9TXh5dhd9FN-mK%2Bw%40mail.gmail.com.