Policy 2.8.1: Candidate Issues to Address in MRSP v. 2.8.1

144 views
Skip to first unread message

Ben Wilson

unread,
Nov 11, 2022, 1:50:14 PM11/11/22
to dev-secur...@mozilla.org

All,

I have narrowed down proposed changes for the version 2.8.1 batch of changes to clarifications needed in the Mozilla Root Store Policy (MRSP) to the following:

Issue #249 – Clarify that CA operators are required to maintain all applicable CPs and CPSes during the CA’s lifetime

Issue #251 – Clarify that CAs not issuing certificates are not required to provide Full CRL information in the CCADB

Issue #253 – Clarify that a CA must clearly specify the procedures that it employs and state each subsection of 3.2.2.4 that it is complying with

Issue #256 – I propose that we close this issue (require Issuing Distribution Point extensions in sharded CRLs) because it has been addressed recently by CA/Browser Forum Ballot SC-058

Issue # 257 – Require that CAs also follow discussions on the CCADB Public List

Here is a redlined version of the MRSP with the proposed changes, as they currently exist.

https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:pkipolicy:2.8.1

Please let me know if other "clean up" items should be added to this batch of changes.

I will start separate discussion on each of these, beginning with Issue #251, because it has been noted recently that more clarification is needed, and the proposed language doesn't yet fully address the issue, see e.g., https://bugzilla.mozilla.org/show_bug.cgi?id=1793210.

Thanks,

Ben

Ben Wilson

unread,
Nov 14, 2022, 7:26:01 PM11/14/22
to dev-secur...@mozilla.org
All,
I've added Issue #243 to this list of version 2.8.1 candidates. Related to the "annual update" of a CA's CP/CPS, the change would replace "at least once every year" in item 4 of MRSP section 3.3, with "at least every 365 days". Some have suggested that the current language could be interpreted to mean a calendar year, which was not the intent. Section 2.3 of the Baseline Requirements, which says "annually update", may also need to be clarified. I'll post something separately to the CA/B Forum's server-cert-WG list.  This proposed change will also align with the CCADB's built-in 365-day calculation, which checks CP/CPS publication dates.
Ben

Ben Wilson

unread,
Nov 14, 2022, 7:30:00 PM11/14/22
to dev-secur...@mozilla.org
There is a possible correction to my last post re: 365 days, which might change to 398 days - see my comment here - https://github.com/cabforum/servercert/issues/370#issuecomment-1113441809.

Aaron Poulsen

unread,
Nov 22, 2022, 4:00:11 PM11/22/22
to dev-secur...@mozilla.org, bwi...@mozilla.com
Hi, Ben - I see in your redline that you removed the effective month/day but kept '2022'. Is your intent to make these proposed changes effective by end-of-year?

Ben Wilson

unread,
Nov 22, 2022, 4:04:48 PM11/22/22
to Aaron Poulsen, dev-secur...@mozilla.org
All,
I might try to get these in place before the end of 2022, but I think it's unlikely.  While we're going through this process, please look at each proposed edit to the Mozilla Root Store Policy, identify any potential implementation-scheduling problems, and then communicate those back to the list.
Thanks,
Ben

Reply all
Reply to author
Forward
0 new messages