Policy 2.8.1: MRSP Issue #253: CAs MUST specify BR 3.2.2.4 Methods

[Ben Wilson]

All,

The purpose of this thread is to discuss any concerns or suggestions regarding a sentence in item 3 of section 2.2 in the Mozilla Root Store Policy. In Mozilla's PKI Policy repository in GitHub, Issue #253, it is suggested that we replace lower case "must" and uppercase "SHOULD" with uppercase "MUST".

This sentence in MRSP section 2.2 would then read:

The CA operator's CPS (or, if applicable, the CP or CP/CPS) must MUST clearly specify the procedure(s) that the CA employs, and each documented procedure SHOULD MUST state which subsection of 3.2.2.4 it is complying with.

(See also https://github.com/BenWilson-Mozilla/pkipolicy/commit/389a73615e4658b49b346aeaecbb4dd8fca0c955)

Any thoughts or suggestions?

Thanks,

Ben

[Corey Bonnell]

The proposed change to a MUST is a good one, as I understand that disclosing the BR method numbers of the DV methods that the CA employs is already a requirement as documented in the CA Required or Recommended Practices [1]. This change will align the two documents.

Thanks,

Corey

[1] https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Domain_Name_Ownership