the Apple Policy: Effective October 1, 2022, CA providers must populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution

information, policy should be amended such that: 1. The location(s) of CRL(s) for dormant CAs MUST be disclosed prior to issuing any certificates (ie, making the CA "active"

Store > Policy > . > In Mozilla's PKI Policy repository in GitHub, Issue #253 > , it is suggested that > we replace lower case "must" and uppercase "

Root Store Policy, identify any potential implementation-scheduling problems, and then communicate those back to the list. Thanks, Ben On Tue, Nov 22, 2022 at 12:27 PM Aaron Poulsen

that applicable policy and practice documents can be retrieved for the R1 hierarchy for the period 1995 - 2020; for the R2 hierarchy, for the period from 2005 - 2030; and for the R3 hierarchy

on these policy documents, in part, to evaluate that CAs are upholding their commitments and operating services as expected. We also use them when assessing incidents (to understand

Mozilla PKI Policy repository on GitHub. The proposed language for the last paragraph of section 2.1 of the Mozilla Root Store Policy is as follows: "CA operators MUST follow

? Version 2.8 has been finalized and is going through the publication process today, which I was going to announce when it is up on the Mozilla website. Thanks, Ben On Thu, Apr 28, 2022

Root Store Policy v. 2.8 that I will be sending through the CCADB mailer to all CAs in the Mozilla program. I also have a cover letter for the CA communication, which is boilerplate similar

security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscribe@mozilla

v. 2.8. Currently, section 5.2 of the MRSP says, "CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-

sequence of policy documents for that same period. >> >> This policy change doesn't fully require the "birth certificate" approach >> (although

a Certificate Policy and/or Certification > Practice Statement". (Here, implementing the conjunctions "and" and "or" > get messy.) Currently

Root Store Policy. It can be reviewed here in the current draft version of MRSP v.2.8 - see https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.8 or

v.2.8 and the wiki page with language that allows replacement of existing CA certificates without requiring the public discussion process. For discussion purposes, let's assume

security-policy group, Consorci AOC supports banning SHA-1 across the board. We no longer support SHA-1 signatures for services related to CAs trusted by Mozilla, in our situation

of this Policy”. As an aside, it appears that a requirement to audit TCSCs was included in the commit from two days ago: https://github.com/BenWilson-Mozilla/pkipolicy/commit

proposed version 2.8 (without language yet for sunsetting SHA1 and requiring CRLReason codes). https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla

security-policy@mozilla.org wrote: > >> Hi Ben, >> >> >> >> I'm not against removing old roots from the trust store, but is using the >

of this policy also >> apply to technically constrained intermediate certificates.* >> >> *If the certificate includes the id-kp-emailProtection extended

security-policy@mozilla.org < >>>> dev-security-policy@mozilla.org> >>>> *Sent:* Thursday, January 13, 2022 8:12 PM >>>> *

of this policy, This is a totally accurate statement, but doesn't seem to be the same as originally envisioned in the bugs? That is, imagine a WebTrust auditor (or an ACAB'c

Root Store Policy (MRSP). This is Github Issue #198 . Here is a redline: https://github.com/BenWilson-Mozilla/pkipolicy/commit/2ba1ff1f134db1c600c04805c33d2fb903ce32a9

general Mozilla policy needs to reference RFC 6962 because it describes the system that is actually deployed. 2. When a Precertificate Signing Certificate is used, the issuer of a

Root Store Policy (MSRP), version 2.8, to be published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) This is Github Issue #131 . - It changes "CA"

Root Store Policy. Also, when talking about trust bits, the term "SSL" is changed to "websites". This is Github Issue #184 . Here is a redline: https://github

security-policy@mozilla.org wrote: > >> Is there a preference for which provides the greatest clarity to CAs >> (thinking especially of those that haven't

security-policy@mozilla.org wrote: >>> >>>> > Is it necessary to start a new discussion every time a new CA >>>> Certificate is about to be

in version 2.8 of the Mozilla Root Store Policy. *Discussion will remain open until 1-Dec-2021 * #233 - Editing Process for Review and Approval of Externally Operated Subordinate

Root Store Policy (MSRP), version 2.8, to be published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) This is Github Issue #230 . The proposal is to change "