Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Updating Mozilla's CA Certificate Policy
106 views
Skip to first unread message
Kathleen Wilson
Aug 20, 2015, 2:12:50 PM8/20/15
to mozilla-dev-s...@lists.mozilla.org
All,
It's time to begin discussions about updating Mozilla's CA Certificate
Policy.
The current policy is here:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Inclusion Policy:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
Maintenance Policy:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
A list of the things to consider changing is here:
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
Please review the list to let me know if there are any topics missing.
To start with, I would like to make the following changes, so please
reply soon if you foresee any problems with these:
1) Update BR section numbers to correspond with BR version 1.3 that was
published in April.
https://cabforum.org/wp-content/uploads/RFC3647_Comparison_Table_for_Baseline_Requirements.pdf
Note that this also applies to the process/policy wiki pages.
2) Update item #12 of the Inclusion Policy to refer to a more recent
version of the CA/Browser Forum Baseline Requirements. And add "or
later" to the BR version number.
Which version number should I use?
3) Remove "ISO 21188:2006 Public key infrastructure for financial
services -- Practices and policy framework;" from item #11 of the
Inclusion Policy.
4) In the first bullet point of item #9 of the Maintenance Policy remove
the "after June 30, 2011" and add MD2 and MD4.
Current text: "after June 30, 2011, software published by Mozilla will
return an error when a certificate with an MD5-based signature is used;"
Proposed new text: "software published by Mozilla will return an error
when a certificate with an MD2, MD4, or MD5-based signature is used;"
5) Update the second bullet point of item #9 of the Maintenance Policy.
Current text: "all end-entity certificates with RSA key sizes smaller
than 2048 bits must expire by December 31, 2013;"
Proposed new text: "software published by Mozilla will return an error
when SSL/TLS or Code Signing certificates have RSA key sizes smaller
than 2048 bits."
6) Delete the third bullet point of item #9 of the Maintenance Policy.
Current text: "after December 31, 2013, Mozilla will disable or remove
all root certificates with RSA key sizes smaller than 2048 bits;"
I will greatly appreciate your thoughtful and constructive input as we
consider changes to make to Mozilla's CA Certificate Policy.
Kathleen
It's time to begin discussions about updating Mozilla's CA Certificate
Policy.
The current policy is here:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Inclusion Policy:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
Maintenance Policy:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
A list of the things to consider changing is here:
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
Please review the list to let me know if there are any topics missing.
To start with, I would like to make the following changes, so please
reply soon if you foresee any problems with these:
1) Update BR section numbers to correspond with BR version 1.3 that was
published in April.
https://cabforum.org/wp-content/uploads/RFC3647_Comparison_Table_for_Baseline_Requirements.pdf
Note that this also applies to the process/policy wiki pages.
2) Update item #12 of the Inclusion Policy to refer to a more recent
version of the CA/Browser Forum Baseline Requirements. And add "or
later" to the BR version number.
Which version number should I use?
3) Remove "ISO 21188:2006 Public key infrastructure for financial
services -- Practices and policy framework;" from item #11 of the
Inclusion Policy.
4) In the first bullet point of item #9 of the Maintenance Policy remove
the "after June 30, 2011" and add MD2 and MD4.
Current text: "after June 30, 2011, software published by Mozilla will
return an error when a certificate with an MD5-based signature is used;"
Proposed new text: "software published by Mozilla will return an error
when a certificate with an MD2, MD4, or MD5-based signature is used;"
5) Update the second bullet point of item #9 of the Maintenance Policy.
Current text: "all end-entity certificates with RSA key sizes smaller
than 2048 bits must expire by December 31, 2013;"
Proposed new text: "software published by Mozilla will return an error
when SSL/TLS or Code Signing certificates have RSA key sizes smaller
than 2048 bits."
6) Delete the third bullet point of item #9 of the Maintenance Policy.
Current text: "after December 31, 2013, Mozilla will disable or remove
all root certificates with RSA key sizes smaller than 2048 bits;"
I will greatly appreciate your thoughtful and constructive input as we
consider changes to make to Mozilla's CA Certificate Policy.
Kathleen
Gervase Markham
Aug 24, 2015, 8:54:26 AM8/24/15
to mozilla-dev-s...@lists.mozilla.org
Hi Kathleen,
On 20/08/15 19:12, Kathleen Wilson wrote:
> It's time to begin discussions about updating Mozilla's CA Certificate
> Policy.
Great :-)
> A list of the things to consider changing is here:
> https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
How do you want to deal with this list? Is it "default-do" or
"default-don't-do"? That is, should I spend my time arguing for the
changes I would like to see, arguing against the changes I think are
bogus, or a combination of the two?
> Please review the list to let me know if there are any topics missing.
I've updated the list so that the topics are numbered, which should
hopefully help discussion.
> To start with, I would like to make the following changes, so please
> reply soon if you foresee any problems with these:
Do you anticipate making all the changes in one batch, or do you think
you might do a 2.3 with the below changes, and a 2.4 with some other
changes which require more discussion?
> 2) Update item #12 of the Inclusion Policy to refer to a more recent
> version of the CA/Browser Forum Baseline Requirements. And add "or
> later" to the BR version number.
> Which version number should I use?
Whichever version is current at the time you issue the new policy.
But do we have a plan to give CAs a timeframe to come into compliance?
If you add "or later", does that mean that CAs must comply with at least
the version number given but may, at their option, comply with a later
version?
Gerv
On 20/08/15 19:12, Kathleen Wilson wrote:
> It's time to begin discussions about updating Mozilla's CA Certificate
> Policy.
> A list of the things to consider changing is here:
> https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
"default-don't-do"? That is, should I spend my time arguing for the
changes I would like to see, arguing against the changes I think are
bogus, or a combination of the two?
> Please review the list to let me know if there are any topics missing.
hopefully help discussion.
> To start with, I would like to make the following changes, so please
> reply soon if you foresee any problems with these:
you might do a 2.3 with the below changes, and a 2.4 with some other
changes which require more discussion?
> 2) Update item #12 of the Inclusion Policy to refer to a more recent
> version of the CA/Browser Forum Baseline Requirements. And add "or
> later" to the BR version number.
> Which version number should I use?
But do we have a plan to give CAs a timeframe to come into compliance?
If you add "or later", does that mean that CAs must comply with at least
the version number given but may, at their option, comply with a later
version?
Gerv
Brian Smith
Aug 24, 2015, 1:12:21 PM8/24/15
to Gervase Markham, mozilla-dev-s...@lists.mozilla.org
On Mon, Aug 24, 2015 at 5:53 AM, Gervase Markham <ge...@mozilla.org> wrote:
> On 20/08/15 19:12, Kathleen Wilson wrote:
> On 20/08/15 19:12, Kathleen Wilson wrote:
> > It's time to begin discussions about updating Mozilla's CA Certificate
> > Policy.
>
> Great :-)
> > Policy.
>
>
> > A list of the things to consider changing is here:
> > https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
>
> > A list of the things to consider changing is here:
> > https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
>
> How do you want to deal with this list? Is it "default-do" or
> "default-don't-do"? That is, should I spend my time arguing for the
> changes I would like to see, arguing against the changes I think are
> bogus, or a combination of the two?
>
I also have this same question.
> "default-don't-do"? That is, should I spend my time arguing for the
> changes I would like to see, arguing against the changes I think are
> bogus, or a combination of the two?
>
> > Please review the list to let me know if there are any topics missing.
>
certificates that are syntactically invalid in various ways, and we got a
lot of good responses [1]. I was struck by the responses like GlobalSign's
that basically said, paraphrasing, "we intend to continue knowingly violate
the baseline requirements by issuing syntactically invalid certificates." I
think it would be good to make it clearer that producing syntactically
valid certificates is **required**. In particular, I think that Mozilla
should audit a CA's recently-issued certificates and automatically reject a
CA's request for inclusion or membership renewal if there are a non-trivial
number of certificates that have the problems mentioned in [2]. (Also, I
have some new information about problematic practices to expand the list in
[2], which I hope to share next week.)
2. Last week (or so), one of GlobalSign's OCSP response signing
certificates expired before the OCSP responses signed by the certificate
expired (IIUC), which caused problems for multiple websites, particularly
ones that use OCSP stapling. Please make it a requirement that every OCSP
response must have a nextUpdate field that is before or equal to the
notAfter date of the certificate that signs it. This should be easy for CAs
to comply with.
3. Please add a requirement that every OCSP response must have a nextUpdate
field. This is required to ensure that OCSP stapling works *reliably* with
all (at least most) server and client products.
4. Please add a requirement that the nextUpdate field must be no longer
than 72 hours after the thisUpdate field, i.e. that OCSP responses expire
within 3 days, for every certificate, for both end-entity certificates and
CA certificates.
5. On the page you linked to, there are items about removing support for
SHA-512-signed and P-521-signed certificates. Those were suggested by me
previously. I would like to change my suggestion to just recommending that
CAs avoid SHA-512 and P-521, especially in their CA certificates. Again,
this is to ensure interoperability, as SHA-512 and (especially) P-521 are
less well-supported than the other algorithms. (Note: On the page you
linked to, P-521 is incorrectly spelled "P-512".)
Thanks,
Brian
[1]
https://mozillacaprogram.secure.force.com/Communications/CommunicationActionOptionResponse?CommunicationId=a04o000000M89RCAAZ&Question=ACTION%20%234:%20Workarounds%20were%20implemented
[2]
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix
Peter Bowen
Aug 24, 2015, 6:43:04 PM8/24/15
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org
On Thu, Aug 20, 2015 at 11:12 AM, Kathleen Wilson <kwi...@mozilla.com> wrote:
> It's time to begin discussions about updating Mozilla's CA Certificate
> Policy.
>
> It's time to begin discussions about updating Mozilla's CA Certificate
> Policy.
>
> A list of the things to consider changing is here:
> https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
>
> https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
>
> Please review the list to let me know if there are any topics missing.
Kathleen,
Are the items under "Items to Add/Update in the Policy" such as RAs,
Audits, and Policy Enforcement part of this discussion?
Thanks,
Peter
Kathleen Wilson
Aug 24, 2015, 7:03:22 PM8/24/15
to mozilla-dev-s...@lists.mozilla.org
On 8/24/15 5:53 AM, Gervase Markham wrote:
> Hi Kathleen,
>
> On 20/08/15 19:12, Kathleen Wilson wrote:
>> It's time to begin discussions about updating Mozilla's CA Certificate
>> Policy.
>
> Great :-)
>
>> A list of the things to consider changing is here:
>> https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
>
> How do you want to deal with this list? Is it "default-do" or
> "default-don't-do"? That is, should I spend my time arguing for the
> changes I would like to see, arguing against the changes I think are
> bogus, or a combination of the two?
I will open a separate discussion thread for each item, beginning with
> Hi Kathleen,
>
> On 20/08/15 19:12, Kathleen Wilson wrote:
>> It's time to begin discussions about updating Mozilla's CA Certificate
>> Policy.
>
> Great :-)
>
>> A list of the things to consider changing is here:
>> https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
>
> How do you want to deal with this list? Is it "default-do" or
> "default-don't-do"? That is, should I spend my time arguing for the
> changes I would like to see, arguing against the changes I think are
> bogus, or a combination of the two?
"1. Clean up the "Other considerations when updating the CA Certificate
Policy" section of the Potentially Problematic Practices page. i.e.
figure out which items should be put directly into Mozilla's CA
Certificate Policy."
At that point, you can argue for/against it.
>
>> Please review the list to let me know if there are any topics missing.
>
> I've updated the list so that the topics are numbered, which should
> hopefully help discussion.
>
>> To start with, I would like to make the following changes, so please
>> reply soon if you foresee any problems with these:
>
> Do you anticipate making all the changes in one batch, or do you think
> you might do a 2.3 with the below changes, and a 2.4 with some other
> changes which require more discussion?
I am also considering using GitHub to track the changes as we complete
each discussion.
>
>> 2) Update item #12 of the Inclusion Policy to refer to a more recent
>> version of the CA/Browser Forum Baseline Requirements. And add "or
>> later" to the BR version number.
>> Which version number should I use?
>
> Whichever version is current at the time you issue the new policy.
>
> But do we have a plan to give CAs a timeframe to come into compliance?
wiki page with guidance and time frames for CAs to get into compliance.
e.g. https://wiki.mozilla.org/CA:CertificatePolicyV2.2
>
> If you add "or later", does that mean that CAs must comply with at least
> the version number given but may, at their option, comply with a later
> version?
Policy every time the BRs are updated, but I don't want to limit the CAs
to an old version for the BRs either.
Thanks,
Kathleen
Kathleen Wilson
Aug 24, 2015, 7:23:49 PM8/24/15
to mozilla-dev-s...@lists.mozilla.org
On 8/24/15 10:12 AM, Brian Smith wrote:
> On Mon, Aug 24, 2015 at 5:53 AM, Gervase Markham <ge...@mozilla.org> wrote:
>
>> On 20/08/15 19:12, Kathleen Wilson wrote:
>>> It's time to begin discussions about updating Mozilla's CA Certificate
>>> Policy.
>>
>> Great :-)
>>
>>> A list of the things to consider changing is here:
>>> https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
>>
>> How do you want to deal with this list? Is it "default-do" or
>> "default-don't-do"? That is, should I spend my time arguing for the
>> changes I would like to see, arguing against the changes I think are
>> bogus, or a combination of the two?
>>
>
There is no default. I plan to hold a separate discussion for each item
> On Mon, Aug 24, 2015 at 5:53 AM, Gervase Markham <ge...@mozilla.org> wrote:
>
>> On 20/08/15 19:12, Kathleen Wilson wrote:
>>> It's time to begin discussions about updating Mozilla's CA Certificate
>>> Policy.
>>
>> Great :-)
>>
>>> A list of the things to consider changing is here:
>>> https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
>>
>> How do you want to deal with this list? Is it "default-do" or
>> "default-don't-do"? That is, should I spend my time arguing for the
>> changes I would like to see, arguing against the changes I think are
>> bogus, or a combination of the two?
>>
>
in the https://wiki.mozilla.org/CA:CertPolicyUpdates#To_Be_Discussed
list. If we decide not to make a corresponding change, I will note that,
and we will move on.
I added separate sub-sections to make this more clear; see
https://wiki.mozilla.org/CA:CertPolicyUpdates#Will_NOT_Do
https://wiki.mozilla.org/CA:CertPolicyUpdates#To_Be_Discussed
Thanks,
Kathleen
Kathleen Wilson
Aug 24, 2015, 7:25:16 PM8/24/15
to mozilla-dev-s...@lists.mozilla.org
If you want something in
https://wiki.mozilla.org/CA:CertPolicyUpdates#Items_to_Add.2FUpdate_in_the_Policy
to be added to
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
then please reply to let us know which items.
Thanks,
Kathleen
Gervase Markham
Aug 25, 2015, 4:14:08 PM8/25/15
to mozilla-dev-s...@lists.mozilla.org
On 24/08/15 16:02, Kathleen Wilson wrote:
> I will open a separate discussion thread for each item, beginning with
> "1. Clean up the "Other considerations when updating the CA Certificate
> Policy" section of the Potentially Problematic Practices page. i.e.
> figure out which items should be put directly into Mozilla's CA
> Certificate Policy."
>
> At that point, you can argue for/against it.
There are over 20 items on the list; that will be a lot of threads, and
> I will open a separate discussion thread for each item, beginning with
> "1. Clean up the "Other considerations when updating the CA Certificate
> Policy" section of the Potentially Problematic Practices page. i.e.
> figure out which items should be put directly into Mozilla's CA
> Certificate Policy."
>
> At that point, you can argue for/against it.
so a lot of email. I hope everyone is prepared :-)
Gerv
Kathleen Wilson
Aug 26, 2015, 2:49:05 PM8/26/15
to mozilla-dev-s...@lists.mozilla.org
I updated
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
to separate it into 3 sections.
1) Corrections / Minor Updates
https://wiki.mozilla.org/CA:CertPolicyUpdates#Corrections_.2F_Minor_Updates
This section is the list of the initial changes I would like to make
that I already had listed in this discussion, but I added another item:
"7. Update section 11 of the Inclusion Policy to refer to and link to
more recent versions of the audit criteria."
2) To Be Discussed
https://wiki.mozilla.org/CA:CertPolicyUpdates#To_Be_Discussed
This is the list of bigger changes that we will need to discuss
separately before deciding if/how to update the policy.
3) Will NOT Do
https://wiki.mozilla.org/CA:CertPolicyUpdates#Will_NOT_Do
This is the list of things we have discussed and decided not do change
in the policy.
Kathleen
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
to separate it into 3 sections.
1) Corrections / Minor Updates
https://wiki.mozilla.org/CA:CertPolicyUpdates#Corrections_.2F_Minor_Updates
This section is the list of the initial changes I would like to make
that I already had listed in this discussion, but I added another item:
"7. Update section 11 of the Inclusion Policy to refer to and link to
more recent versions of the audit criteria."
2) To Be Discussed
https://wiki.mozilla.org/CA:CertPolicyUpdates#To_Be_Discussed
This is the list of bigger changes that we will need to discuss
separately before deciding if/how to update the policy.
3) Will NOT Do
https://wiki.mozilla.org/CA:CertPolicyUpdates#Will_NOT_Do
This is the list of things we have discussed and decided not do change
in the policy.
Kathleen
Kathleen Wilson
Sep 8, 2015, 7:56:49 PM9/8/15
to mozilla-dev-s...@lists.mozilla.org
On 8/26/15 11:48 AM, Kathleen Wilson wrote:
> I updated
> https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
> to separate it into 3 sections.
>
I copied the items that we want to consider for Version 2.3 of the
> I updated
> https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
> to separate it into 3 sections.
>
policy to a new wiki page that I can use to guide our discussions and
track our progress:
https://wiki.mozilla.org/CA:CertificatePolicyV2.3
In order to preserve mapping to the numbers in the original page, I used
the following scheme.
Items that begin with "(C#)..." are from the corresponding item # in
https://wiki.mozilla.org/CA:CertPolicyUpdates#Corrections_.2F_Minor_Updates
Items that begin with "(D#)..." are from the corresponding item # in
https://wiki.mozilla.org/CA:CertPolicyUpdates#To_Be_Discussed
The new page, https://wiki.mozilla.org/CA:CertificatePolicyV2.3
is organized as follows:
1.1 Changes Made to DRAFT Version 2.3
This is the list of changes that have been made to the DRAFT of Version
2.3 in https://github.com/mozilla/ca-policy
1.2 Proposed Changes Currently Being Discussed
- Code Signing Trust Bits
- Corrections/Minor Updates
1.3 Proposed Changes That Need To Be Discussed
1.3.1 General Policy Cleanup
1.3.2 Transparency
1.3.3 Accountability
1.3.4 Revocation
1.3.5 Government CAs
1.3.6 Remaining Cleanup
As always, I will appreciate your constructive and thoughtful feedback
on this.
Thanks,
Kathleen
Kathleen Wilson
Sep 8, 2015, 8:02:05 PM9/8/15
to mozilla-dev-s...@lists.mozilla.org
On 9/8/15 4:56 PM, Kathleen Wilson wrote:
> The new page, https://wiki.mozilla.org/CA:CertificatePolicyV2.3
> is organized as follows:
>
> 1.1 Changes Made to DRAFT Version 2.3
> This is the list of changes that have been made to the DRAFT of Version
> 2.3 in https://github.com/mozilla/ca-policy
The public view of the changes will be here:
> The new page, https://wiki.mozilla.org/CA:CertificatePolicyV2.3
> is organized as follows:
>
> 1.1 Changes Made to DRAFT Version 2.3
> This is the list of changes that have been made to the DRAFT of Version
> 2.3 in https://github.com/mozilla/ca-policy
http://mozilla.github.io/ca-policy/
0 new messages