Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Mozilla CA Policy 2.3 plan
200 views
Skip to first unread message
Gervase Markham
Nov 7, 2016, 9:09:39 AM11/7/16
to mozilla-dev-s...@lists.mozilla.org
Hi everyone,
We would like to reinvigorate the process of developing the next version
of Mozilla's root policy. Kathleen has been wrestling with it for some
time now, but her time is limited and her tasks are many. Other
obstructions include the "big bang" model of change we were using, the
lack of collaboration tools, and the method of tracking issues in a big
wiki page.
So, thanks to the magic of pandoc, I have converted the current policy
(version 2.2) to a single Markdown document which now lives here, on the
"2.2" branch:
https://github.com/mozilla/pkipolicy/blob/2.2/rootstore/policy.md
(I know there was another github repo with 2.3 work; I've started over
again because I wanted to start from a clean 2.2, and make it into a
single document from the beginning, for easier diffing. The repo name is
also more generic, leaving room for CT policy and perhaps CCADB policy.)
It would be useful if people checked it over to make sure I have not
made any mistakes in conversion. The original is here, in four pages:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Secondly, I have implemented all the agreed decisions from this list:
https://wiki.mozilla.org/CA:CertificatePolicyV2.3
on top of version 2.2 to make a current draft of version 2.3.
Reviewing all these changes, they all seem to be sensible updates to
reflect changes elsewhere, or things which are permissive. Kathleen has
also commented elsewhere that people have been permitted to follow what
the 2.3 draft says for some time. Therefore, it seems to me that we
could ship the current draft version as version 2.3 immediately, with
immediate applicability. Diff:
https://github.com/mozilla/pkipolicy/compare/2.2...master
We would then start work on 2.4. Does anyone see a problem with that?
Thirdly, I have converted all of the proposed changes from that page
into Github issues in the pkipolicy repository.
https://github.com/mozilla/pkipolicy/issues
Please make sure your favourite issue is present and well-explained, and
file new ones if not.
Fourthly, I have triaged the issues and marked those I think are urgent
and achievable in a reasonably short time frame with the "2.4"
milestone. That list is here:
https://github.com/mozilla/pkipolicy/milestone/1
Please dispute my triage, either in or out, here on this list :-)
So the proposal is to ship the current draft immediately as 2.3, then
implement the urgent changes as soon as possible and ship that as 2.4,
and then retriage the remaining issues to see what to do next.
Comments, as always, are welcome.
Gerv
We would like to reinvigorate the process of developing the next version
of Mozilla's root policy. Kathleen has been wrestling with it for some
time now, but her time is limited and her tasks are many. Other
obstructions include the "big bang" model of change we were using, the
lack of collaboration tools, and the method of tracking issues in a big
wiki page.
So, thanks to the magic of pandoc, I have converted the current policy
(version 2.2) to a single Markdown document which now lives here, on the
"2.2" branch:
https://github.com/mozilla/pkipolicy/blob/2.2/rootstore/policy.md
(I know there was another github repo with 2.3 work; I've started over
again because I wanted to start from a clean 2.2, and make it into a
single document from the beginning, for easier diffing. The repo name is
also more generic, leaving room for CT policy and perhaps CCADB policy.)
It would be useful if people checked it over to make sure I have not
made any mistakes in conversion. The original is here, in four pages:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Secondly, I have implemented all the agreed decisions from this list:
https://wiki.mozilla.org/CA:CertificatePolicyV2.3
on top of version 2.2 to make a current draft of version 2.3.
Reviewing all these changes, they all seem to be sensible updates to
reflect changes elsewhere, or things which are permissive. Kathleen has
also commented elsewhere that people have been permitted to follow what
the 2.3 draft says for some time. Therefore, it seems to me that we
could ship the current draft version as version 2.3 immediately, with
immediate applicability. Diff:
https://github.com/mozilla/pkipolicy/compare/2.2...master
We would then start work on 2.4. Does anyone see a problem with that?
Thirdly, I have converted all of the proposed changes from that page
into Github issues in the pkipolicy repository.
https://github.com/mozilla/pkipolicy/issues
Please make sure your favourite issue is present and well-explained, and
file new ones if not.
Fourthly, I have triaged the issues and marked those I think are urgent
and achievable in a reasonably short time frame with the "2.4"
milestone. That list is here:
https://github.com/mozilla/pkipolicy/milestone/1
Please dispute my triage, either in or out, here on this list :-)
So the proposal is to ship the current draft immediately as 2.3, then
implement the urgent changes as soon as possible and ship that as 2.4,
and then retriage the remaining issues to see what to do next.
Comments, as always, are welcome.
Gerv
Kurt Roeckx
Nov 7, 2016, 9:34:55 AM11/7/16
to mozilla-dev-s...@lists.mozilla.org
On 2016-11-07 15:08, Gervase Markham wrote:
> https://github.com/mozilla/pkipolicy/compare/2.2...master
So one of the changes is that you now have:
- issuing certificates), as described in [CA/Browser Forum
- Baseline Requirement
- \#12;](http://www.cabforum.org/documents.html)
+ issuing certificates), as described in section 6.1.7 of the
+ [CA/Browser Forum Baseline
+
Requirements](https://cabforum.org/baseline-requirements-documents/);
In my experience, pointing to a specific section of the BRs causes
problems because things are moved, renumbered and so on. Other changes
in the document also point to specific sections.
Kurt
> https://github.com/mozilla/pkipolicy/compare/2.2...master
So one of the changes is that you now have:
- issuing certificates), as described in [CA/Browser Forum
- Baseline Requirement
- \#12;](http://www.cabforum.org/documents.html)
+ issuing certificates), as described in section 6.1.7 of the
+ [CA/Browser Forum Baseline
+
Requirements](https://cabforum.org/baseline-requirements-documents/);
In my experience, pointing to a specific section of the BRs causes
problems because things are moved, renumbered and so on. Other changes
in the document also point to specific sections.
Kurt
Gervase Markham
Nov 7, 2016, 9:37:47 AM11/7/16
to Kurt Roeckx
On 07/11/16 14:34, Kurt Roeckx wrote:
> In my experience, pointing to a specific section of the BRs causes
> problems because things are moved, renumbered and so on. Other changes
> in the document also point to specific sections.
The BRs now follow RFC 3647, which AIUI specifies the title and
> In my experience, pointing to a specific section of the BRs causes
> problems because things are moved, renumbered and so on. Other changes
> in the document also point to specific sections.
numbering of each section. So this is much less of a problem than it was
before we converted to using RFC 3647.
Gerv
Kathleen Wilson
Nov 7, 2016, 3:06:03 PM11/7/16
to mozilla-dev-s...@lists.mozilla.org
On Monday, November 7, 2016 at 6:09:39 AM UTC-8, Gervase Markham wrote:
> Hi everyone,
>
> We would like to reinvigorate the process of developing the next version
> of Mozilla's root policy. Kathleen has been wrestling with it for some
> time now, but her time is limited and her tasks are many. Other
> obstructions include the "big bang" model of change we were using, the
> lack of collaboration tools, and the method of tracking issues in a big
> wiki page.
Thank you, Gerv, for taking this on!
> Hi everyone,
>
> We would like to reinvigorate the process of developing the next version
> of Mozilla's root policy. Kathleen has been wrestling with it for some
> time now, but her time is limited and her tasks are many. Other
> obstructions include the "big bang" model of change we were using, the
> lack of collaboration tools, and the method of tracking issues in a big
> wiki page.
>
> So, thanks to the magic of pandoc, I have converted the current policy
> (version 2.2) to a single Markdown document which now lives here, on the
> "2.2" branch:
>
> https://github.com/mozilla/pkipolicy/blob/2.2/rootstore/policy.md
>
> (I know there was another github repo with 2.3 work; I've started over
> again because I wanted to start from a clean 2.2, and make it into a
> single document from the beginning, for easier diffing. The repo name is
> also more generic, leaving room for CT policy and perhaps CCADB policy.)
>
> It would be useful if people checked it over to make sure I have not
> made any mistakes in conversion. The original is here, in four pages:
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
> Secondly, I have implemented all the agreed decisions from this list:
> https://wiki.mozilla.org/CA:CertificatePolicyV2.3
> on top of version 2.2 to make a current draft of version 2.3.
https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md
and I see all of the expected changes, as per
https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Changes_Made_to_DRAFT_Version_2.3
In section 11 the two bullet points regarding ETSI TS 119 411 are out of date.
It currently says:
""
- Clause 6 “Trust Service Providers practice” in ETSI TS 119 411-1 V1.0.1 or later version Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements (as applicable to the "EVCP" and "EVCP+" certificate policies, DVCP and OVCP certificate policies for publicly trusted certificates - baseline requirements and any of the and any of the "NCP", "NCP+", or "LCP" certificate policies);
- Clause 6 “Trust Service Providers practice” in ETSI TS 119 411-2 V2.0.7 or later version Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificates (only applicable to electronic signature certificate issuance; applicable to either “QCP-l” or “QCP-l-qscd“ or “QCP-n” or ‘’QCP-n-qscd’’ or ‘’QCP-w).""
In the BRs it says:
"2. A national scheme that audits conformance to ETSI TS 102 042/ ETSI EN 319 411-1;"
and references:
ETSI EN 319 403, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity
Assessment ‐ Requirements for conformity assessment bodies assessing Trust Service Providers.
ETSI EN 319 411‐1, Electronic Signatures and Infrastructures (ESI); Policy and security requirements for
Trust Service Providers issuing certificates; Part 1: General requirements
>
> Reviewing all these changes, they all seem to be sensible updates to
> reflect changes elsewhere, or things which are permissive. Kathleen has
> also commented elsewhere that people have been permitted to follow what
> the 2.3 draft says for some time. Therefore, it seems to me that we
> could ship the current draft version as version 2.3 immediately, with
> immediate applicability. Diff:
> https://github.com/mozilla/pkipolicy/compare/2.2...master
>
> We would then start work on 2.4. Does anyone see a problem with that?
>
> Thirdly, I have converted all of the proposed changes from that page
> into Github issues in the pkipolicy repository.
> https://github.com/mozilla/pkipolicy/issues
> Please make sure your favourite issue is present and well-explained, and
> file new ones if not.
>
> Fourthly, I have triaged the issues and marked those I think are urgent
> and achievable in a reasonably short time frame with the "2.4"
> milestone. That list is here:
> https://github.com/mozilla/pkipolicy/milestone/1
Here's the link that works for me:
https://github.com/mozilla/pkipolicy/issues?q=is%3Aopen+is%3Aissue+milestone%3A2.4
>
> Please dispute my triage, either in or out, here on this list :-)
>
> So the proposal is to ship the current draft immediately as 2.3, then
> implement the urgent changes as soon as possible and ship that as 2.4,
> and then retriage the remaining issues to see what to do next.
>
> Comments, as always, are welcome.
Kathleen
Gervase Markham
Nov 8, 2016, 5:00:05 AM11/8/16
to Kathleen Wilson
On 07/11/16 20:05, Kathleen Wilson wrote:
>> It would be useful if people checked it over to make sure I have not
>> made any mistakes in conversion. The original is here, in four pages:
>> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
>
> Just one minor glitch in the last bullet point of item 11 of the
> Inclusion policy regarding EV audit criteria. Otherwise, looks good.
I think it's now the second bullet, isn't it?
>> It would be useful if people checked it over to make sure I have not
>> made any mistakes in conversion. The original is here, in four pages:
>> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
>
> Just one minor glitch in the last bullet point of item 11 of the
> Inclusion policy regarding EV audit criteria. Otherwise, looks good.
> In section 11 the two bullet points regarding ETSI TS 119 411 are out of date.
entirely clear to me what the right thing was.
> That would be great, with the exception of getting the ETSI audit
> numbers/info updated first -- so I think we need to get
> https://github.com/mozilla/pkipolicy/issues/3 into this version 2.3.
can tell me how exactly to resolve it, that would be great!
>> Fourthly, I have triaged the issues and marked those I think are urgent
>> and achievable in a reasonably short time frame with the "2.4"
>> milestone. That list is here:
>> https://github.com/mozilla/pkipolicy/milestone/1
>
> That link didn't work for me.
https://github.com/mozilla/pkipolicy/milestone/2
Milestone 2.3 is:
https://github.com/mozilla/pkipolicy/milestone/1
Gerv
Gervase Markham
Nov 8, 2016, 5:56:26 AM11/8/16
to mozilla-dev-s...@lists.mozilla.org
On 07/11/16 14:08, Gervase Markham wrote:
> Fourthly, I have triaged the issues and marked those I think are urgent
> and achievable in a reasonably short time frame with the "2.4"
> milestone. That list is here:
> https://github.com/mozilla/pkipolicy/milestone/1
Correct URL:
> Fourthly, I have triaged the issues and marked those I think are urgent
> and achievable in a reasonably short time frame with the "2.4"
> milestone. That list is here:
> https://github.com/mozilla/pkipolicy/milestone/1
https://github.com/mozilla/pkipolicy/milestone/2
> Please dispute my triage, either in or out, here on this list :-)
commented on.
Gerv
Gervase Markham
Nov 14, 2016, 5:40:24 AM11/14/16
to mozilla-dev-s...@lists.mozilla.org
On 07/11/16 14:08, Gervase Markham wrote:
> the 2.3 draft says for some time. Therefore, it seems to me that we
> could ship the current draft version as version 2.3 immediately, with
> immediate applicability. Diff:
> https://github.com/mozilla/pkipolicy/compare/2.2...master
We found one additional issue (references to new ETSI docs) which needed
> could ship the current draft version as version 2.3 immediately, with
> immediate applicability. Diff:
> https://github.com/mozilla/pkipolicy/compare/2.2...master
resolving, but which is now resolved. So we think version 2.3 is now
ready to ship, and become immediately applicable. See the diff URL above
for the changes.
Last chance to raise objections! :-)
(The BR version number update is to the one that has been in the draft
2.3 policy for ages, rather than to the latest version; that's intentional.)
Gerv
0 new messages