Policy 2.5 Proposal: Require CAs to operate in accordance with their CPs and CPSes

[Gervase Markham]

Mozilla policy requires that certificates issued in contravention of a
CA's CP/CPS should be revoked. Other than that, Mozilla policy does not
directly require that a CA operate in accordance with its CP and CPS. We
require this indirectly because the audits that we require, require it.
This perhaps surprising omission was brought to light by the Let's
Encrypt blocklist incident. Discussion:
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/_pSjsrZrTWY

The proposal is to have Mozilla policy directly require that CAs operate
in accordance with the appropriate CP/CPS for the root(s) in our store
on an ongoing basis.

Specifically, we could add text to the top of section 5.2 ("Forbidden
and Required Practices"):

"CA operations MUST at all times be in accordance with the applicable CP
and CPS."

This is: https://github.com/mozilla/pkipolicy/issues/43

-------

This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.

Policy 2.4.1 (current version):
https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates

[Jakob Bohm]

On 12/05/2017 15:21, Gervase Markham wrote:
> Mozilla policy requires that certificates issued in contravention of a
> CA's CP/CPS should be revoked. Other than that, Mozilla policy does not
> directly require that a CA operate in accordance with its CP and CPS. We
> require this indirectly because the audits that we require, require it.
> This perhaps surprising omission was brought to light by the Let's
> Encrypt blocklist incident. Discussion:
> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/_pSjsrZrTWY
>
> The proposal is to have Mozilla policy directly require that CAs operate
> in accordance with the appropriate CP/CPS for the root(s) in our store
> on an ongoing basis.
>
> Specifically, we could add text to the top of section 5.2 ("Forbidden
> and Required Practices"):
>
> "CA operations MUST at all times be in accordance with the applicable CP
> and CPS."
>

Perhaps tweak the wording to make the document submitted to the CCADB
binding, rather than any CP/CPS published elsewhere.

> This is: https://github.com/mozilla/pkipolicy/issues/43
>
> -------
>
> This is a proposed update to Mozilla's root store policy for version
> 2.5. Please keep discussion in this group rather than on Github. Silence
> is consent.
>
> Policy 2.4.1 (current version):
> https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
> Update process:
> https://wiki.mozilla.org/CA:CertPolicyUpdates
>

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

[Gervase Markham]

On 12/05/17 18:54, Jakob Bohm wrote:
> Perhaps tweak the wording to make the document submitted to the CCADB
> binding, rather than any CP/CPS published elsewhere.

While that certainly seems attractive, changing the location of the
canonical CP/CPS from the CA's repository to Mozilla's repository seems
to be rather taking over a CA function. If many or most root programs
were using the CCADB, this might be more justifiable. What if several
root programs said the applicable version was the one they held in their
systems? That doesn't sound like a great outcome.

CAs are required to keep the CCADB up to date anyway.

Gerv

[Gervase Markham]

On 12/05/17 14:21, Gervase Markham wrote:
> Specifically, we could add text to the top of section 5.2 ("Forbidden
> and Required Practices"):
>
> "CA operations MUST at all times be in accordance with the applicable CP
> and CPS."

Implemented as specced.

Gerv