info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Policy 2.6 Proposal: For new inclusions, require all existing unexpired unrevoked certs in hierarchy to be BR compliant
60 views
Skip to first unread message
Wayne Thayer
Apr 16, 2018, 6:52:29 PM4/16/18
to mozilla-dev-security-policy
I will consider this issue to be resolved by the change I made for issue
113:
https://github.com/mozilla/pkipolicy/commit/55929f58da98a7af08fbf4bc2eb4537991de481b
- Wayne
On Wed, Apr 4, 2018 at 2:31 PM, Wayne Thayer <wth...@mozilla.com> wrote:
> Last year we held a discussion on this topic [1] that concluded as follows:
>
> It is true that in the case of a legacy root, creating a new root with a
>> cross-sign is not technically all that complex (although it may take
>> some time organizationally) and then we could embed that new one.
>>
>> Given that option, perhaps a blanket statement of BR compliance for all
>> unexpired and unrevoked certificates is OK - allowing the CA to choose
>> how best to meet the requirement.
>>
>
> I believe that the solution I proposed for issue 113 [2] (Require audits
> back to first issuance) also takes care of this issue. Here is what I
> proposed:
>
> In section 2.3 (Baseline Requirements Conformance), add a new bullet that
>> states "Before being included, CAs MUST provide evidence that their root
>> certificates have, from the time of creation and continually thereafter,
>> complied with the then current Mozilla Root Store Policy and CA/Browser
>> Forum Baseline Requirements."
>>
>
> Once again, I'd appreciate everyone's input on this topic.
>
> This is: https://github.com/mozilla/pkipolicy/issues/99
>
> [1] https://groups.google.com/forum/#!topic/mozilla.dev.
> security.policy/2vBlRyfwxEs
> [2] https://groups.google.com/d/msg/mozilla.dev.security.
> policy/rR9g5BJ6R8E/TPgol2fcBwAJ
>
> -------
>
> This is a proposed update to Mozilla's root store policy for version
> 2.6. Please keep discussion in this group rather than on GitHub. Silence
> is consent.
>
> Policy 2.5 (current version):
> https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
>
113:
https://github.com/mozilla/pkipolicy/commit/55929f58da98a7af08fbf4bc2eb4537991de481b
- Wayne
On Wed, Apr 4, 2018 at 2:31 PM, Wayne Thayer <wth...@mozilla.com> wrote:
> Last year we held a discussion on this topic [1] that concluded as follows:
>
> It is true that in the case of a legacy root, creating a new root with a
>> cross-sign is not technically all that complex (although it may take
>> some time organizationally) and then we could embed that new one.
>>
>> Given that option, perhaps a blanket statement of BR compliance for all
>> unexpired and unrevoked certificates is OK - allowing the CA to choose
>> how best to meet the requirement.
>>
>
> I believe that the solution I proposed for issue 113 [2] (Require audits
> back to first issuance) also takes care of this issue. Here is what I
> proposed:
>
> In section 2.3 (Baseline Requirements Conformance), add a new bullet that
>> states "Before being included, CAs MUST provide evidence that their root
>> certificates have, from the time of creation and continually thereafter,
>> complied with the then current Mozilla Root Store Policy and CA/Browser
>> Forum Baseline Requirements."
>>
>
> Once again, I'd appreciate everyone's input on this topic.
>
> This is: https://github.com/mozilla/pkipolicy/issues/99
>
> [1] https://groups.google.com/forum/#!topic/mozilla.dev.
> security.policy/2vBlRyfwxEs
> [2] https://groups.google.com/d/msg/mozilla.dev.security.
> policy/rR9g5BJ6R8E/TPgol2fcBwAJ
>
> -------
>
> This is a proposed update to Mozilla's root store policy for version
> 2.6. Please keep discussion in this group rather than on GitHub. Silence
> is consent.
>
> Policy 2.5 (current version):
> https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
>
0 new messages