info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Policy 2.4 Proposal: Define or remove the word "misused"
88 views
Skip to first unread message
Gervase Markham
Dec 16, 2016, 10:20:40 AM12/16/16
to mozilla-dev-s...@lists.mozilla.org
The word "misused" in the policy could do with clarifying. The
Maintenance Policy states:
"2. CAs must revoke Certificates that they have issued upon the
occurrence of any of the following events: ... the CA obtains reasonable
evidence that the subscriber’s private key (corresponding to the public
key in the certificate) has been compromised or is suspected of
compromise (e.g. Debian weak keys), or that the certificate has
otherwise been misused;"
Kathleen's proposal is to change:
"or that the certificate has otherwise been misused;"
to
"or that the certificate has been used for a purpose outside of that
indicated in the certificate or in the CA's subscriber agreement;"
We feel it's reasonable for the CA (via its subscriber agreement or via
technical controls in the cert) to define what 'misuse' is.
There was a long previous discussion of this on m.d.s.policy, but no
determination was made.
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/vMrncPi3tx8/Ab90Yi_rBgAJ
This is: https://github.com/mozilla/pkipolicy/issues/1
-------
This is a proposed update to Mozilla's root store policy for version
2.4. Please keep discussion in this group rather than on Github. Silence
is consent.
Policy 2.3 (current version):
https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates
Maintenance Policy states:
"2. CAs must revoke Certificates that they have issued upon the
occurrence of any of the following events: ... the CA obtains reasonable
evidence that the subscriber’s private key (corresponding to the public
key in the certificate) has been compromised or is suspected of
compromise (e.g. Debian weak keys), or that the certificate has
otherwise been misused;"
Kathleen's proposal is to change:
"or that the certificate has otherwise been misused;"
to
"or that the certificate has been used for a purpose outside of that
indicated in the certificate or in the CA's subscriber agreement;"
We feel it's reasonable for the CA (via its subscriber agreement or via
technical controls in the cert) to define what 'misuse' is.
There was a long previous discussion of this on m.d.s.policy, but no
determination was made.
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/vMrncPi3tx8/Ab90Yi_rBgAJ
This is: https://github.com/mozilla/pkipolicy/issues/1
-------
This is a proposed update to Mozilla's root store policy for version
2.4. Please keep discussion in this group rather than on Github. Silence
is consent.
Policy 2.3 (current version):
https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates
Gervase Markham
Jan 12, 2017, 11:00:25 AM1/12/17
to mozilla-dev-s...@lists.mozilla.org
On 16/12/16 15:20, Gervase Markham wrote:
> Kathleen's proposal is to change:
>
> "or that the certificate has otherwise been misused;"
>
> to
>
> "or that the certificate has been used for a purpose outside of that
> indicated in the certificate or in the CA's subscriber agreement;"
Resolution: fixed as specified.
> Kathleen's proposal is to change:
>
> "or that the certificate has otherwise been misused;"
>
> to
>
> "or that the certificate has been used for a purpose outside of that
> indicated in the certificate or in the CA's subscriber agreement;"
Gerv
0 new messages