info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Policy 2.7.1: MRSP Issue #173: Strengthen requirement for newly included roots to meet all current requirements
118 views
Skip to first unread message
Ben Wilson
Oct 28, 2020, 7:40:26 PM10/28/20
to mozilla-dev-security-policy
The current language of MRSP section 7.1 says, "Before being included, CAs
MUST provide evidence that their CA certificates have continually, from the
time of creation, complied with the then-current Mozilla Root Store Policy
and Baseline Requirements." If an older root were to be submitted for
inclusion that does not meet current requirements, there might be an
argument that the certificate met the "then-current" requirements even
though it does not meet the current requirements. The purpose of this
proposed revision to section 7.1 of the MRSP is to close this potential
loophole.
The proposed language would amend the 4th paragraph of section 7.1 to read,
"Before being included, CAs MUST provide evidence that their CA
certificates *fully comply with the current Mozilla Root Store Requirements
and Baseline Requirements, and* have continually, from the time of *CA
private key* creation, complied with the then-current Mozilla Root Store
Policy and Baseline Requirements.
This email begins public discussion of this proposal for inclusion in
version 2.7.1 of the MRSP.
Thanks,
Ben
MUST provide evidence that their CA certificates have continually, from the
time of creation, complied with the then-current Mozilla Root Store Policy
and Baseline Requirements." If an older root were to be submitted for
inclusion that does not meet current requirements, there might be an
argument that the certificate met the "then-current" requirements even
though it does not meet the current requirements. The purpose of this
proposed revision to section 7.1 of the MRSP is to close this potential
loophole.
The proposed language would amend the 4th paragraph of section 7.1 to read,
"Before being included, CAs MUST provide evidence that their CA
certificates *fully comply with the current Mozilla Root Store Requirements
and Baseline Requirements, and* have continually, from the time of *CA
private key* creation, complied with the then-current Mozilla Root Store
Policy and Baseline Requirements.
This email begins public discussion of this proposal for inclusion in
version 2.7.1 of the MRSP.
Thanks,
Ben
0 new messages