info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Policy 2.7.1 Issues to be Considered
309 views
Skip to first unread message
Ben Wilson
Oct 1, 2020, 4:22:10 PM10/1/20
to mozilla-dev-security-policy
Below is a list of issues that I propose be addressed in the next version
(2.7.1) of the Mozilla Root Store Policy (MRSP). There are currently 73
issues related to the MRSP listed here:
https://github.com/mozilla/pkipolicy/issues. So far, I have identified 13
items to consider for this policy update; which are tagged as v.2.7.1 in
GitHub (https://github.com/mozilla/pkipolicy/labels/2.7.1). I will
appreciate your input on this list as to whether there are issues that
should be added or removed. Then, based on the list, I will start a
separate discussion thread in mozilla.dev.security.policy for each issue.
#139 <https://github.com/mozilla/pkipolicy/issues/139> - Audits are
required even if no longer issuing - Clarify that audits are required until
the CA certificate is revoked, expired, or removed. Related to Issue #153.
#147 <https://github.com/mozilla/pkipolicy/issues/147> - Require EV audits
for certificates capable of issuing EV certificates – Clarify that EV
audits are required for all intermediate certificates that are technically
capable of issuing EV certificates, even when not currently issuing EV
certificates.
#153 <https://github.com/mozilla/pkipolicy/issues/153> – Cradle-to-Grave
Contiguous Audits – Specify the audits that are required from Root key
generation ceremony until expiration or removal from Mozilla’s root store.
Related to Issue #139.
#154 <https://github.com/mozilla/pkipolicy/issues/154> - Require Management
Assertions to list Non-compliance – Add to MRSP 2.4 “If being audited to
the WebTrust criteria, the Management Assertion letter MUST include all
known incidents that occurred or were still open/unresolved at any time
during the audit period.”
#173 <https://github.com/mozilla/pkipolicy/issues/173> - Strengthen
requirement for newly included roots to meet all past and present
requirements – Add language to MRSP 7.1 so that it is clear that before
being included CAs must comply and have complied with past and present
Mozilla Root Store Policy and Baseline Requirements.
#186 <https://github.com/mozilla/pkipolicy/issues/186> - Clarify MRSP 5.3
Requirement to Disclose Self-signed Certificates – Clarify that self-signed
certificates with the same key pair as an existing root meets MRSP 5.3’s
definition of an intermediate certificate that must be disclosed in the
CCADB.
#187 <https://github.com/mozilla/pkipolicy/issues/187> - Require disclosure
of incidents in Audit Reports – To MRSP 3.1.4 “The publicly-available
documentation relating to each audit MUST contain at least the following
clearly-labelled information: “ add “11. all incidents (as defined in
section 2.4) that occurred or were still open/unresolved at any time during
the audit period, or a statement that the auditor is unaware of any;”
#192 <https://github.com/mozilla/pkipolicy/issues/192> - Require
information about auditor qualifications in the audit report – Require
audit statements to be accompanied by documentation of the auditor’s
qualifications demonstrating the auditor’s competence and experience.
#205 <https://github.com/mozilla/pkipolicy/issues/205> - Require CAs to
publish accepted methods for proving key compromise – Require CAs to
disclose their acceptable methods for proving key compromise in section
4.9.12 of their CPS.
#206 <https://github.com/mozilla/pkipolicy/issues/206> - Limit re-use of
domain name verification to 395 days – Amend item 5 in MRSP 2.1 with “and
verify ownership/control of each dNSName and iPAddress in the certificate's
subjectAltName at intervals of 398 days or less;”
#207 <https://github.com/mozilla/pkipolicy/issues/207> - Require audit
statements to provide information about which CA Locations were and were
not audited, and the extent to which they were (or were not) audited
#211 <https://github.com/mozilla/pkipolicy/issues/211> - Align OCSP
requirements in Mozilla's policy with the section 4.9.10 of the Baseline
Requirements
#218 <https://github.com/mozilla/pkipolicy/issues/218> Clarify CRL
requirements for End Entity Certificates – For CRLite, Mozilla would like
to ensure that it has full lists of revoked certificates. If the CA uses
partial CRLs, then require CAs to provide the URL location of their full
and complete CRL in the CCADB.
Ben Wilson
Mozilla Root Program Manager
(2.7.1) of the Mozilla Root Store Policy (MRSP). There are currently 73
issues related to the MRSP listed here:
https://github.com/mozilla/pkipolicy/issues. So far, I have identified 13
items to consider for this policy update; which are tagged as v.2.7.1 in
GitHub (https://github.com/mozilla/pkipolicy/labels/2.7.1). I will
appreciate your input on this list as to whether there are issues that
should be added or removed. Then, based on the list, I will start a
separate discussion thread in mozilla.dev.security.policy for each issue.
#139 <https://github.com/mozilla/pkipolicy/issues/139> - Audits are
required even if no longer issuing - Clarify that audits are required until
the CA certificate is revoked, expired, or removed. Related to Issue #153.
#147 <https://github.com/mozilla/pkipolicy/issues/147> - Require EV audits
for certificates capable of issuing EV certificates – Clarify that EV
audits are required for all intermediate certificates that are technically
capable of issuing EV certificates, even when not currently issuing EV
certificates.
#153 <https://github.com/mozilla/pkipolicy/issues/153> – Cradle-to-Grave
Contiguous Audits – Specify the audits that are required from Root key
generation ceremony until expiration or removal from Mozilla’s root store.
Related to Issue #139.
#154 <https://github.com/mozilla/pkipolicy/issues/154> - Require Management
Assertions to list Non-compliance – Add to MRSP 2.4 “If being audited to
the WebTrust criteria, the Management Assertion letter MUST include all
known incidents that occurred or were still open/unresolved at any time
during the audit period.”
#173 <https://github.com/mozilla/pkipolicy/issues/173> - Strengthen
requirement for newly included roots to meet all past and present
requirements – Add language to MRSP 7.1 so that it is clear that before
being included CAs must comply and have complied with past and present
Mozilla Root Store Policy and Baseline Requirements.
#186 <https://github.com/mozilla/pkipolicy/issues/186> - Clarify MRSP 5.3
Requirement to Disclose Self-signed Certificates – Clarify that self-signed
certificates with the same key pair as an existing root meets MRSP 5.3’s
definition of an intermediate certificate that must be disclosed in the
CCADB.
#187 <https://github.com/mozilla/pkipolicy/issues/187> - Require disclosure
of incidents in Audit Reports – To MRSP 3.1.4 “The publicly-available
documentation relating to each audit MUST contain at least the following
clearly-labelled information: “ add “11. all incidents (as defined in
section 2.4) that occurred or were still open/unresolved at any time during
the audit period, or a statement that the auditor is unaware of any;”
#192 <https://github.com/mozilla/pkipolicy/issues/192> - Require
information about auditor qualifications in the audit report – Require
audit statements to be accompanied by documentation of the auditor’s
qualifications demonstrating the auditor’s competence and experience.
#205 <https://github.com/mozilla/pkipolicy/issues/205> - Require CAs to
publish accepted methods for proving key compromise – Require CAs to
disclose their acceptable methods for proving key compromise in section
4.9.12 of their CPS.
#206 <https://github.com/mozilla/pkipolicy/issues/206> - Limit re-use of
domain name verification to 395 days – Amend item 5 in MRSP 2.1 with “and
verify ownership/control of each dNSName and iPAddress in the certificate's
subjectAltName at intervals of 398 days or less;”
#207 <https://github.com/mozilla/pkipolicy/issues/207> - Require audit
statements to provide information about which CA Locations were and were
not audited, and the extent to which they were (or were not) audited
#211 <https://github.com/mozilla/pkipolicy/issues/211> - Align OCSP
requirements in Mozilla's policy with the section 4.9.10 of the Baseline
Requirements
#218 <https://github.com/mozilla/pkipolicy/issues/218> Clarify CRL
requirements for End Entity Certificates – For CRLite, Mozilla would like
to ensure that it has full lists of revoked certificates. If the CA uses
partial CRLs, then require CAs to provide the URL location of their full
and complete CRL in the CCADB.
Ben Wilson
Mozilla Root Program Manager
Corey Bonnell
Oct 2, 2020, 7:16:23 AM10/2/20
to Ben Wilson, mozilla-dev-security-policy
Including https://github.com/mozilla/pkipolicy/issues/152 would be a useful clarification alongside issue 147, as it will better define the parameters that determine if a given intermediate is “EV capable”.
Thanks,
Corey
________________________________
From: dev-security-policy <dev-security-...@lists.mozilla.org> on behalf of Ben Wilson via dev-security-policy <dev-secur...@lists.mozilla.org>
Sent: Thursday, October 1, 2020 4:21:48 PM
To: mozilla-dev-security-policy <mozilla-dev-s...@lists.mozilla.org>
Subject: Policy 2.7.1 Issues to be Considered
Below is a list of issues that I propose be addressed in the next version
(2.7.1) of the Mozilla Root Store Policy (MRSP). There are currently 73
issues related to the MRSP listed here:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279585097&sdata=GZ8%2F%2FJg0sa%2FKAPcRes4w1tWPtQrXfd3xAdjoEY62gBQ%3D&reserved=0. So far, I have identified 13
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=epO6teU3MyXthk06VJho10TVgSbN7se6%2F%2FM5iHuK96E%3D&reserved=0
Thanks,
Corey
________________________________
From: dev-security-policy <dev-security-...@lists.mozilla.org> on behalf of Ben Wilson via dev-security-policy <dev-secur...@lists.mozilla.org>
Sent: Thursday, October 1, 2020 4:21:48 PM
To: mozilla-dev-security-policy <mozilla-dev-s...@lists.mozilla.org>
Subject: Policy 2.7.1 Issues to be Considered
Below is a list of issues that I propose be addressed in the next version
(2.7.1) of the Mozilla Root Store Policy (MRSP). There are currently 73
issues related to the MRSP listed here:
items to consider for this policy update; which are tagged as v.2.7.1 in
GitHub (https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Flabels%2F2.7.1&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279585097&sdata=fNzV%2FEjnNTWKsA%2BNMJo08ESzNttlkIHINUr23jRy%2F5E%3D&reserved=0). I will
appreciate your input on this list as to whether there are issues that
should be added or removed. Then, based on the list, I will start a
separate discussion thread in mozilla.dev.security.policy for each issue.
#139 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F139&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279585097&sdata=7xarPFNWPfgfEcddgA%2BsVk23dViiNv9QRxpEoqjp1vk%3D&reserved=0> - Audits are
should be added or removed. Then, based on the list, I will start a
separate discussion thread in mozilla.dev.security.policy for each issue.
required even if no longer issuing - Clarify that audits are required until
the CA certificate is revoked, expired, or removed. Related to Issue #153.
#147 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F147&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=kt7ywgVE5S6VqWB47cNsTf943OyNzdtSEbqA14%2F4TYo%3D&reserved=0> - Require EV audits
the CA certificate is revoked, expired, or removed. Related to Issue #153.
for certificates capable of issuing EV certificates – Clarify that EV
audits are required for all intermediate certificates that are technically
capable of issuing EV certificates, even when not currently issuing EV
certificates.
#153 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F153&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=FToJiGI1xtCsEBHmmRsB2P%2Fv%2B8SFqze5HouMkmsJ8lc%3D&reserved=0> – Cradle-to-Grave
audits are required for all intermediate certificates that are technically
capable of issuing EV certificates, even when not currently issuing EV
certificates.
Contiguous Audits – Specify the audits that are required from Root key
generation ceremony until expiration or removal from Mozilla’s root store.
Related to Issue #139.
#154 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F154&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=qEnD7LC%2FXsEF3Hs7u68fxA4fNAPFaP7rGLox7GvIjn4%3D&reserved=0> - Require Management
generation ceremony until expiration or removal from Mozilla’s root store.
Related to Issue #139.
Assertions to list Non-compliance – Add to MRSP 2.4 “If being audited to
the WebTrust criteria, the Management Assertion letter MUST include all
known incidents that occurred or were still open/unresolved at any time
during the audit period.”
#173 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F173&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=THxcETFV6slWGx4h3Y9E9l4OVcRvCf43iPjtoqqpIzc%3D&reserved=0> - Strengthen
the WebTrust criteria, the Management Assertion letter MUST include all
known incidents that occurred or were still open/unresolved at any time
during the audit period.”
requirement for newly included roots to meet all past and present
requirements – Add language to MRSP 7.1 so that it is clear that before
being included CAs must comply and have complied with past and present
Mozilla Root Store Policy and Baseline Requirements.
#186 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F186&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=dh6vJtrZyl627lpZkxM9yracHtNbZQ4T1G9cP4tmh6U%3D&reserved=0> - Clarify MRSP 5.3
requirements – Add language to MRSP 7.1 so that it is clear that before
being included CAs must comply and have complied with past and present
Mozilla Root Store Policy and Baseline Requirements.
Requirement to Disclose Self-signed Certificates – Clarify that self-signed
certificates with the same key pair as an existing root meets MRSP 5.3’s
definition of an intermediate certificate that must be disclosed in the
CCADB.
#187 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F187&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=F7DOhUVmT5K7hlZgWlHNaWmKxwNXSERT%2BTY4ire73Ys%3D&reserved=0> - Require disclosure
certificates with the same key pair as an existing root meets MRSP 5.3’s
definition of an intermediate certificate that must be disclosed in the
CCADB.
of incidents in Audit Reports – To MRSP 3.1.4 “The publicly-available
documentation relating to each audit MUST contain at least the following
clearly-labelled information: “ add “11. all incidents (as defined in
section 2.4) that occurred or were still open/unresolved at any time during
the audit period, or a statement that the auditor is unaware of any;”
#192 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F192&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=nntLfIfhi8Kdkk1WG5RhIMbmReNGkpVMzjzMhTlgmDc%3D&reserved=0> - Require
documentation relating to each audit MUST contain at least the following
clearly-labelled information: “ add “11. all incidents (as defined in
section 2.4) that occurred or were still open/unresolved at any time during
the audit period, or a statement that the auditor is unaware of any;”
information about auditor qualifications in the audit report – Require
audit statements to be accompanied by documentation of the auditor’s
qualifications demonstrating the auditor’s competence and experience.
#205 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F205&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=8Cr3PP7Qf2g6E%2FPZ1JZJAnG8cc5akuphIoSQPwmXyeg%3D&reserved=0> - Require CAs to
audit statements to be accompanied by documentation of the auditor’s
qualifications demonstrating the auditor’s competence and experience.
publish accepted methods for proving key compromise – Require CAs to
disclose their acceptable methods for proving key compromise in section
4.9.12 of their CPS.
#206 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F206&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=Ac8clvkhVFOBb7HKbP64chpEpTZvrK%2BmatwVllKiow0%3D&reserved=0> - Limit re-use of
disclose their acceptable methods for proving key compromise in section
4.9.12 of their CPS.
domain name verification to 395 days – Amend item 5 in MRSP 2.1 with “and
verify ownership/control of each dNSName and iPAddress in the certificate's
subjectAltName at intervals of 398 days or less;”
#207 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F207&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=8w3n%2FWAiCBbvZ73hWm8Hs9Y9rAy0qWgZWYZBiuz2g9c%3D&reserved=0> - Require audit
verify ownership/control of each dNSName and iPAddress in the certificate's
subjectAltName at intervals of 398 days or less;”
statements to provide information about which CA Locations were and were
not audited, and the extent to which they were (or were not) audited
#211 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F211&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=YBXaWeHPV6Fov6MaIlWq0PVr%2Blh%2FZT21iiZU8GJcpxE%3D&reserved=0> - Align OCSP
not audited, and the extent to which they were (or were not) audited
requirements in Mozilla's policy with the section 4.9.10 of the Baseline
Requirements
#218 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F218&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=W2sIZpCcW5Dv%2B5GbK7PEskjckVACsb9P96QI%2FywB5JI%3D&reserved=0> Clarify CRL
Requirements
requirements for End Entity Certificates – For CRLite, Mozilla would like
to ensure that it has full lists of revoked certificates. If the CA uses
partial CRLs, then require CAs to provide the URL location of their full
and complete CRL in the CCADB.
Ben Wilson
Mozilla Root Program Manager
_______________________________________________
to ensure that it has full lists of revoked certificates. If the CA uses
partial CRLs, then require CAs to provide the URL location of their full
and complete CRL in the CCADB.
Ben Wilson
Mozilla Root Program Manager
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=epO6teU3MyXthk06VJho10TVgSbN7se6%2F%2FM5iHuK96E%3D&reserved=0
Doug Beattie
Oct 6, 2020, 2:19:33 PM10/6/20
to Ben Wilson, mozilla-dev-security-policy
Ben,
When, approximately, do you think this proposed updates would become effective, and specifically this item:
https://github.com/mozilla/pkipolicy/issues/206
Doug
-----Original Message-----
From: dev-security-policy <dev-security-...@lists.mozilla.org> On Behalf Of Ben Wilson via dev-security-policy
Sent: Thursday, October 1, 2020 4:22 PM
To: mozilla-dev-security-policy <mozilla-dev-s...@lists.mozilla.org>
Subject: Policy 2.7.1 Issues to be Considered
Below is a list of issues that I propose be addressed in the next version
(2.7.1) of the Mozilla Root Store Policy (MRSP). There are currently 73 issues related to the MRSP listed here:
https://github.com/mozilla/pkipolicy/issues. So far, I have identified 13 items to consider for this policy update; which are tagged as v.2.7.1 in GitHub (https://github.com/mozilla/pkipolicy/labels/2.7.1). I will appreciate your input on this list as to whether there are issues that should be added or removed. Then, based on the list, I will start a separate discussion thread in mozilla.dev.security.policy for each issue.
#139 <https://github.com/mozilla/pkipolicy/issues/139> - Audits are required even if no longer issuing - Clarify that audits are required until the CA certificate is revoked, expired, or removed. Related to Issue #153.
#147 <https://github.com/mozilla/pkipolicy/issues/147> - Require EV audits for certificates capable of issuing EV certificates – Clarify that EV audits are required for all intermediate certificates that are technically capable of issuing EV certificates, even when not currently issuing EV certificates.
#153 <https://github.com/mozilla/pkipolicy/issues/153> – Cradle-to-Grave Contiguous Audits – Specify the audits that are required from Root key generation ceremony until expiration or removal from Mozilla’s root store.
Related to Issue #139.
#154 <https://github.com/mozilla/pkipolicy/issues/154> - Require Management Assertions to list Non-compliance – Add to MRSP 2.4 “If being audited to the WebTrust criteria, the Management Assertion letter MUST include all known incidents that occurred or were still open/unresolved at any time during the audit period.”
#173 <https://github.com/mozilla/pkipolicy/issues/173> - Strengthen requirement for newly included roots to meet all past and present requirements – Add language to MRSP 7.1 so that it is clear that before being included CAs must comply and have complied with past and present Mozilla Root Store Policy and Baseline Requirements.
#186 <https://github.com/mozilla/pkipolicy/issues/186> - Clarify MRSP 5.3 Requirement to Disclose Self-signed Certificates – Clarify that self-signed certificates with the same key pair as an existing root meets MRSP 5.3’s definition of an intermediate certificate that must be disclosed in the CCADB.
#187 <https://github.com/mozilla/pkipolicy/issues/187> - Require disclosure of incidents in Audit Reports – To MRSP 3.1.4 “The publicly-available documentation relating to each audit MUST contain at least the following clearly-labelled information: “ add “11. all incidents (as defined in section 2.4) that occurred or were still open/unresolved at any time during the audit period, or a statement that the auditor is unaware of any;”
#192 <https://github.com/mozilla/pkipolicy/issues/192> - Require information about auditor qualifications in the audit report – Require audit statements to be accompanied by documentation of the auditor’s qualifications demonstrating the auditor’s competence and experience.
#205 <https://github.com/mozilla/pkipolicy/issues/205> - Require CAs to publish accepted methods for proving key compromise – Require CAs to disclose their acceptable methods for proving key compromise in section
4.9.12 of their CPS.
#206 <https://github.com/mozilla/pkipolicy/issues/206> - Limit re-use of domain name verification to 395 days – Amend item 5 in MRSP 2.1 with “and verify ownership/control of each dNSName and iPAddress in the certificate's subjectAltName at intervals of 398 days or less;”
#207 <https://github.com/mozilla/pkipolicy/issues/207> - Require audit statements to provide information about which CA Locations were and were not audited, and the extent to which they were (or were not) audited
#211 <https://github.com/mozilla/pkipolicy/issues/211> - Align OCSP requirements in Mozilla's policy with the section 4.9.10 of the Baseline Requirements
#218 <https://github.com/mozilla/pkipolicy/issues/218> Clarify CRL requirements for End Entity Certificates – For CRLite, Mozilla would like to ensure that it has full lists of revoked certificates. If the CA uses partial CRLs, then require CAs to provide the URL location of their full and complete CRL in the CCADB.
Ben Wilson
Mozilla Root Program Manager
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
When, approximately, do you think this proposed updates would become effective, and specifically this item:
https://github.com/mozilla/pkipolicy/issues/206
Doug
-----Original Message-----
From: dev-security-policy <dev-security-...@lists.mozilla.org> On Behalf Of Ben Wilson via dev-security-policy
Sent: Thursday, October 1, 2020 4:22 PM
To: mozilla-dev-security-policy <mozilla-dev-s...@lists.mozilla.org>
Subject: Policy 2.7.1 Issues to be Considered
Below is a list of issues that I propose be addressed in the next version
(2.7.1) of the Mozilla Root Store Policy (MRSP). There are currently 73 issues related to the MRSP listed here:
#139 <https://github.com/mozilla/pkipolicy/issues/139> - Audits are required even if no longer issuing - Clarify that audits are required until the CA certificate is revoked, expired, or removed. Related to Issue #153.
#147 <https://github.com/mozilla/pkipolicy/issues/147> - Require EV audits for certificates capable of issuing EV certificates – Clarify that EV audits are required for all intermediate certificates that are technically capable of issuing EV certificates, even when not currently issuing EV certificates.
#153 <https://github.com/mozilla/pkipolicy/issues/153> – Cradle-to-Grave Contiguous Audits – Specify the audits that are required from Root key generation ceremony until expiration or removal from Mozilla’s root store.
Related to Issue #139.
#154 <https://github.com/mozilla/pkipolicy/issues/154> - Require Management Assertions to list Non-compliance – Add to MRSP 2.4 “If being audited to the WebTrust criteria, the Management Assertion letter MUST include all known incidents that occurred or were still open/unresolved at any time during the audit period.”
#173 <https://github.com/mozilla/pkipolicy/issues/173> - Strengthen requirement for newly included roots to meet all past and present requirements – Add language to MRSP 7.1 so that it is clear that before being included CAs must comply and have complied with past and present Mozilla Root Store Policy and Baseline Requirements.
#186 <https://github.com/mozilla/pkipolicy/issues/186> - Clarify MRSP 5.3 Requirement to Disclose Self-signed Certificates – Clarify that self-signed certificates with the same key pair as an existing root meets MRSP 5.3’s definition of an intermediate certificate that must be disclosed in the CCADB.
#187 <https://github.com/mozilla/pkipolicy/issues/187> - Require disclosure of incidents in Audit Reports – To MRSP 3.1.4 “The publicly-available documentation relating to each audit MUST contain at least the following clearly-labelled information: “ add “11. all incidents (as defined in section 2.4) that occurred or were still open/unresolved at any time during the audit period, or a statement that the auditor is unaware of any;”
#192 <https://github.com/mozilla/pkipolicy/issues/192> - Require information about auditor qualifications in the audit report – Require audit statements to be accompanied by documentation of the auditor’s qualifications demonstrating the auditor’s competence and experience.
#205 <https://github.com/mozilla/pkipolicy/issues/205> - Require CAs to publish accepted methods for proving key compromise – Require CAs to disclose their acceptable methods for proving key compromise in section
4.9.12 of their CPS.
#206 <https://github.com/mozilla/pkipolicy/issues/206> - Limit re-use of domain name verification to 395 days – Amend item 5 in MRSP 2.1 with “and verify ownership/control of each dNSName and iPAddress in the certificate's subjectAltName at intervals of 398 days or less;”
#207 <https://github.com/mozilla/pkipolicy/issues/207> - Require audit statements to provide information about which CA Locations were and were not audited, and the extent to which they were (or were not) audited
#211 <https://github.com/mozilla/pkipolicy/issues/211> - Align OCSP requirements in Mozilla's policy with the section 4.9.10 of the Baseline Requirements
#218 <https://github.com/mozilla/pkipolicy/issues/218> Clarify CRL requirements for End Entity Certificates – For CRLite, Mozilla would like to ensure that it has full lists of revoked certificates. If the CA uses partial CRLs, then require CAs to provide the URL location of their full and complete CRL in the CCADB.
Ben Wilson
Mozilla Root Program Manager
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
Ben Wilson
Oct 6, 2020, 3:05:29 PM10/6/20
to Doug Beattie, mozilla-dev-security-policy
Doug,
I don't have any preconceived notions. I was hoping that by discussing the
implementation issues for each issue we could determine appropriate
timeframes.
Ben
On Tue, Oct 6, 2020 at 12:19 PM Doug Beattie <doug.b...@globalsign.com>
wrote:
I don't have any preconceived notions. I was hoping that by discussing the
implementation issues for each issue we could determine appropriate
timeframes.
Ben
On Tue, Oct 6, 2020 at 12:19 PM Doug Beattie <doug.b...@globalsign.com>
wrote:
Ben Wilson
Oct 6, 2020, 4:43:23 PM10/6/20
to Corey Bonnell, mozilla-dev-security-policy
Corey,
We will add this to the 2.7.1 batch of proposed changes. I've started
discussion of Issue 147, so we can discuss it there, or I can create a
separate email thread for it.
On Fri, Oct 2, 2020 at 5:16 AM Corey Bonnell <cbon...@outlook.com> wrote:
> Including https://github.com/mozilla/pkipolicy/issues/152 would be a
> useful clarification alongside issue 147, as it will better define the
> parameters that determine if a given intermediate is “EV capable”.
>
> Thanks,
> Corey
> ------------------------------
> *From:* dev-security-policy <dev-security-...@lists.mozilla.org>
> *Sent:* Thursday, October 1, 2020 4:21:48 PM
> *To:* mozilla-dev-security-policy <
> mozilla-dev-s...@lists.mozilla.org>
> *Subject:* Policy 2.7.1 Issues to be Considered
>
We will add this to the 2.7.1 batch of proposed changes. I've started
discussion of Issue 147, so we can discuss it there, or I can create a
separate email thread for it.
On Fri, Oct 2, 2020 at 5:16 AM Corey Bonnell <cbon...@outlook.com> wrote:
> Including https://github.com/mozilla/pkipolicy/issues/152 would be a
> useful clarification alongside issue 147, as it will better define the
> parameters that determine if a given intermediate is “EV capable”.
>
> Thanks,
> Corey
> *From:* dev-security-policy <dev-security-...@lists.mozilla.org>
> *Sent:* Thursday, October 1, 2020 4:21:48 PM
> *To:* mozilla-dev-security-policy <
> mozilla-dev-s...@lists.mozilla.org>
> *Subject:* Policy 2.7.1 Issues to be Considered
>
> Below is a list of issues that I propose be addressed in the next version
> (2.7.1) of the Mozilla Root Store Policy (MRSP). There are currently 73
> issues related to the MRSP listed here:
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279585097&sdata=GZ8%2F%2FJg0sa%2FKAPcRes4w1tWPtQrXfd3xAdjoEY62gBQ%3D&reserved=0.
> Below is a list of issues that I propose be addressed in the next version
> (2.7.1) of the Mozilla Root Store Policy (MRSP). There are currently 73
> issues related to the MRSP listed here:
>
> So far, I have identified 13
> items to consider for this policy update; which are tagged as v.2.7.1 in
> GitHub (
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Flabels%2F2.7.1&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279585097&sdata=fNzV%2FEjnNTWKsA%2BNMJo08ESzNttlkIHINUr23jRy%2F5E%3D&reserved=0).
> items to consider for this policy update; which are tagged as v.2.7.1 in
> GitHub (
> I will
> appreciate your input on this list as to whether there are issues that
> should be added or removed. Then, based on the list, I will start a
> separate discussion thread in mozilla.dev.security.policy for each issue.
>
> #139 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F139&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279585097&sdata=7xarPFNWPfgfEcddgA%2BsVk23dViiNv9QRxpEoqjp1vk%3D&reserved=0>
> appreciate your input on this list as to whether there are issues that
> should be added or removed. Then, based on the list, I will start a
> separate discussion thread in mozilla.dev.security.policy for each issue.
>
> #139 <
> - Audits are
> required even if no longer issuing - Clarify that audits are required until
> the CA certificate is revoked, expired, or removed. Related to Issue #153.
>
> #147 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F147&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=kt7ywgVE5S6VqWB47cNsTf943OyNzdtSEbqA14%2F4TYo%3D&reserved=0>
> required even if no longer issuing - Clarify that audits are required until
> the CA certificate is revoked, expired, or removed. Related to Issue #153.
>
> #147 <
> - Require EV audits
> for certificates capable of issuing EV certificates – Clarify that EV
> audits are required for all intermediate certificates that are technically
> capable of issuing EV certificates, even when not currently issuing EV
> certificates.
>
> #153 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F153&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=FToJiGI1xtCsEBHmmRsB2P%2Fv%2B8SFqze5HouMkmsJ8lc%3D&reserved=0>
> for certificates capable of issuing EV certificates – Clarify that EV
> audits are required for all intermediate certificates that are technically
> capable of issuing EV certificates, even when not currently issuing EV
> certificates.
>
> #153 <
> – Cradle-to-Grave
> Contiguous Audits – Specify the audits that are required from Root key
> generation ceremony until expiration or removal from Mozilla’s root store.
> Related to Issue #139.
>
> #154 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F154&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=qEnD7LC%2FXsEF3Hs7u68fxA4fNAPFaP7rGLox7GvIjn4%3D&reserved=0>
> Contiguous Audits – Specify the audits that are required from Root key
> generation ceremony until expiration or removal from Mozilla’s root store.
> Related to Issue #139.
>
> #154 <
> - Require Management
> Assertions to list Non-compliance – Add to MRSP 2.4 “If being audited to
> the WebTrust criteria, the Management Assertion letter MUST include all
> known incidents that occurred or were still open/unresolved at any time
> during the audit period.”
>
> #173 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F173&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=THxcETFV6slWGx4h3Y9E9l4OVcRvCf43iPjtoqqpIzc%3D&reserved=0>
> Assertions to list Non-compliance – Add to MRSP 2.4 “If being audited to
> the WebTrust criteria, the Management Assertion letter MUST include all
> known incidents that occurred or were still open/unresolved at any time
> during the audit period.”
>
> #173 <
> - Strengthen
> requirement for newly included roots to meet all past and present
> requirements – Add language to MRSP 7.1 so that it is clear that before
> being included CAs must comply and have complied with past and present
> Mozilla Root Store Policy and Baseline Requirements.
>
> #186 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F186&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=dh6vJtrZyl627lpZkxM9yracHtNbZQ4T1G9cP4tmh6U%3D&reserved=0>
> requirement for newly included roots to meet all past and present
> requirements – Add language to MRSP 7.1 so that it is clear that before
> being included CAs must comply and have complied with past and present
> Mozilla Root Store Policy and Baseline Requirements.
>
> #186 <
> - Clarify MRSP 5.3
> Requirement to Disclose Self-signed Certificates – Clarify that self-signed
> certificates with the same key pair as an existing root meets MRSP 5.3’s
> definition of an intermediate certificate that must be disclosed in the
> CCADB.
>
> #187 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F187&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=F7DOhUVmT5K7hlZgWlHNaWmKxwNXSERT%2BTY4ire73Ys%3D&reserved=0>
> Requirement to Disclose Self-signed Certificates – Clarify that self-signed
> certificates with the same key pair as an existing root meets MRSP 5.3’s
> definition of an intermediate certificate that must be disclosed in the
> CCADB.
>
> #187 <
> - Require disclosure
> of incidents in Audit Reports – To MRSP 3.1.4 “The publicly-available
> documentation relating to each audit MUST contain at least the following
> clearly-labelled information: “ add “11. all incidents (as defined in
> section 2.4) that occurred or were still open/unresolved at any time during
> the audit period, or a statement that the auditor is unaware of any;”
>
> #192 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F192&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=nntLfIfhi8Kdkk1WG5RhIMbmReNGkpVMzjzMhTlgmDc%3D&reserved=0>
> of incidents in Audit Reports – To MRSP 3.1.4 “The publicly-available
> documentation relating to each audit MUST contain at least the following
> clearly-labelled information: “ add “11. all incidents (as defined in
> section 2.4) that occurred or were still open/unresolved at any time during
> the audit period, or a statement that the auditor is unaware of any;”
>
> #192 <
> - Require
> information about auditor qualifications in the audit report – Require
> audit statements to be accompanied by documentation of the auditor’s
> qualifications demonstrating the auditor’s competence and experience.
>
> #205 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F205&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=8Cr3PP7Qf2g6E%2FPZ1JZJAnG8cc5akuphIoSQPwmXyeg%3D&reserved=0>
> information about auditor qualifications in the audit report – Require
> audit statements to be accompanied by documentation of the auditor’s
> qualifications demonstrating the auditor’s competence and experience.
>
> #205 <
> - Require CAs to
> publish accepted methods for proving key compromise – Require CAs to
> disclose their acceptable methods for proving key compromise in section
> 4.9.12 of their CPS.
>
> #206 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F206&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=Ac8clvkhVFOBb7HKbP64chpEpTZvrK%2BmatwVllKiow0%3D&reserved=0>
> publish accepted methods for proving key compromise – Require CAs to
> disclose their acceptable methods for proving key compromise in section
> 4.9.12 of their CPS.
>
> #206 <
> - Limit re-use of
> domain name verification to 395 days – Amend item 5 in MRSP 2.1 with “and
> verify ownership/control of each dNSName and iPAddress in the certificate's
> subjectAltName at intervals of 398 days or less;”
>
> #207 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F207&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=8w3n%2FWAiCBbvZ73hWm8Hs9Y9rAy0qWgZWYZBiuz2g9c%3D&reserved=0>
> domain name verification to 395 days – Amend item 5 in MRSP 2.1 with “and
> verify ownership/control of each dNSName and iPAddress in the certificate's
> subjectAltName at intervals of 398 days or less;”
>
> #207 <
> - Require audit
> statements to provide information about which CA Locations were and were
> not audited, and the extent to which they were (or were not) audited
>
> #211 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F211&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=YBXaWeHPV6Fov6MaIlWq0PVr%2Blh%2FZT21iiZU8GJcpxE%3D&reserved=0>
> statements to provide information about which CA Locations were and were
> not audited, and the extent to which they were (or were not) audited
>
> #211 <
> - Align OCSP
> requirements in Mozilla's policy with the section 4.9.10 of the Baseline
> Requirements
> #218 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F218&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=W2sIZpCcW5Dv%2B5GbK7PEskjckVACsb9P96QI%2FywB5JI%3D&reserved=0>
> requirements in Mozilla's policy with the section 4.9.10 of the Baseline
> Requirements
> #218 <
> Clarify CRL
> requirements for End Entity Certificates – For CRLite, Mozilla would like
> to ensure that it has full lists of revoked certificates. If the CA uses
> partial CRLs, then require CAs to provide the URL location of their full
> and complete CRL in the CCADB.
>
> Ben Wilson
> Mozilla Root Program Manager
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=epO6teU3MyXthk06VJho10TVgSbN7se6%2F%2FM5iHuK96E%3D&reserved=0
> requirements for End Entity Certificates – For CRLite, Mozilla would like
> to ensure that it has full lists of revoked certificates. If the CA uses
> partial CRLs, then require CAs to provide the URL location of their full
> and complete CRL in the CCADB.
>
> Ben Wilson
> Mozilla Root Program Manager
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
>
>
0 new messages