All,
This past April we published Mozilla’s Root Store Policy v. 2.7.1 (MRSP) with an effective date of May 1, 2021, knowing that there were new items for which CAs would need time to implement, and we sent out a CA survey to help us determine reasonable implementation timeframes for new requirements in the MRSP. Specifically, in Item 7 of the CA Survey we asked CAs about the status of their compliance with a new provision in MRSP § 6 that states, “Section 4.9.12 of a CA's CP/CPS MUST clearly specify the methods that parties may use to demonstrate private key compromise.” One option we gave in the survey responses was a checkbox with the response “By the date specified below, we plan to publish a new version of our CPS that contains the methods that parties may use to demonstrate private key compromise.” CA Responses are located here: https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a054o00000EL1Fo&QuestionId=Q00140,Q00150,Q00148.
There were a range of responses, many CAs indicating that
they could publish a new CPS by the end of May. However, we have not yet made announced
a date by which we will expect all CAs to have updated their CPSes to meet this new
requirement. This has lead to some confusion, e.g. Bug 1713976 was
filed yesterday for Amazon’s CPS not having updated section 4.9.12 of its CPS, even
though Amazon committed to do so by the end of June. Concern was raised in the bug that other dates proposed by CAs might be too far away. At the suggestion of Ryan Sleevi, I’m opening
discussion here on this issue.
Mainly, I’m requesting feedback on a date by which all CAs
should be expected to have updated section 4.9.12 in their CPSes with methods
that parties may use to demonstrate private key compromise.
Thanks,
Ben
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20210603143036.ed04b6869bb889c9cfb54fed%40andrewayer.name.