MRSP 3.1: Issue #s 292 and 293: CA Operational Reporting and Policy Alignment

[Ben Wilson]

All,

This thread begins discussion of proposed updates to the Mozilla Root Store Policy (MRSP) relating to CA operational reporting in a "timely manner" (Issue #292) and alignment of the MRSP with external policy frameworks (Issue #293).

These changes are intended to improve clarity and consistency in how CA operators meet their reporting obligations, particularly with respect to the CCADB, and to better align MRSP requirements with the CCADB Policy and the CA/Browser Forum’s requirements documents. The goal is to reduce ambiguity, eliminate overlapping or inconsistent requirements, and reinforce expectations for CA reporting of accurate and current operational data.

Again, here is a comparison of the proposed MRSP v3.1 (working draft, subject to change) vs. the current MRSP v3.0.

Overview of Proposed Changes

Reporting Obligations and Timeliness – #292

Section 7.3 (Removals) is updated to replace the existing reference to failure to act in a “timely manner” with more explicit language tied to CCADB and policy compliance expectations.  Under the proposed revision:

“Repeated failure to provide required notifications or updates in the CCADB, or to otherwise comply with Mozilla or CCADB Policy requirements for maintaining accurate and current information, SHALL be grounds for disabling a CA operator’s root certificates or removing them from Mozilla’s root store.”

This change is intended to:

• Align the MRSP with the CCADB Policy, which already defines expectations for timeliness and data maintenance, and hence avoid maintaining separate or potentially inconsistent timing requirements within the MRSP; and

• Emphasize that ongoing accuracy and completeness of operational data is a core compliance obligation.

  
  

2. Policy Alignment and Order of Precedence – #293

Clarifications are added to address how the MRSP interacts with other applicable requirements, including the CCADB Policy and CA/Browser Forum guidelines.

A new sentence in section 2.1 provides an order of precedence. In the event of inconsistency between the MRSP and other applicable requirements, the MRSP takes precedence. However, where the MRSP does not explicitly resolve an inconsistency, then the most restrictive applicable requirement applies, unless otherwise specified.

Additionally, where the MRSP had more specific or duplicative text, it was removed if the subject was already addressed in the CCADB Policy or CA/Browser Forum requirements.

These changes are intended to:

• Provide a clear framework for resolving conflicts across multiple governing documents;

• Reduce redundancy within the MRSP; and

• Rely on external policies where they already define detailed operational requirements, while preserving Mozilla’s authority to impose stricter or additional requirements where necessary.

Feedback on the proposed direction and suggestions on the draft language are welcome.

 

Thanks,

Ben Wilson

Mozilla Root Program

[Aaron Gable]

Both of these changes look good to me. It's a bit difficult to isolate them in the whole-file diff; it would be great if each of these changes came with its own standalone diff, but I totally understand the difficulty of disentangling all of that.

Aaron

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab%3Der%3D_eMAS4XPWpG-7yx30YmXpvWtxERaAbAFmoXm%2Bpw%40mail.gmail.com.