info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Policy 2.7.1: Process Overview
131 views
Skip to first unread message
Ben Wilson
Nov 9, 2020, 4:14:35 PM11/9/20
to mozilla-dev-security-policy
Re-posting this email to start it with its own subject line and to start a
new thread:
There have been questions about the process being followed and the comment
period. Here is where it now stands.
I intend to introduce the remaining discussion topics over the next three
weeks. I did not announce an end to the discussion period on purpose, so
that we can have as full of a discussion as possible. Also, in the next
three weeks, I intend to start summarizing the discussions and coming up
with new suggested language on those issues that have been discussed. I
expect that during December we will start to solidify the amendments to
MRSP (v.2.7.1), and that in January I'll announce a "last call" on the
amendments. Following that I will "summarize a consensus that has been
reached, and/or state the official position of Mozilla" - see
https://wiki.mozilla.org/CA/Updating_Root_Store_Policy.
Part of the discussion that will still need to take place deals with
implementation deadlines, timing, etc. Let's discuss that now for the
non-controversial items, and then in late December / early January for
those that are more contentious (assuming they remain in this batch of
changes).
Sincerely yours,
Ben Wilson
Mozilla Root Store
new thread:
There have been questions about the process being followed and the comment
period. Here is where it now stands.
I intend to introduce the remaining discussion topics over the next three
weeks. I did not announce an end to the discussion period on purpose, so
that we can have as full of a discussion as possible. Also, in the next
three weeks, I intend to start summarizing the discussions and coming up
with new suggested language on those issues that have been discussed. I
expect that during December we will start to solidify the amendments to
MRSP (v.2.7.1), and that in January I'll announce a "last call" on the
amendments. Following that I will "summarize a consensus that has been
reached, and/or state the official position of Mozilla" - see
https://wiki.mozilla.org/CA/Updating_Root_Store_Policy.
Part of the discussion that will still need to take place deals with
implementation deadlines, timing, etc. Let's discuss that now for the
non-controversial items, and then in late December / early January for
those that are more contentious (assuming they remain in this batch of
changes).
Sincerely yours,
Ben Wilson
Mozilla Root Store
Ben Wilson
Nov 11, 2020, 3:27:45 PM11/11/20
to mozilla-dev-security-policy
I believe that this is where we are so far. I have not received any
comments on issues 139, 147, 154, 173, or 205.
I have not sent an email out yet for issues 206, 207, 211 or 218.
*Issue*
*When Announced; Status*
#139 <https://github.com/mozilla/pkipolicy/issues/139> - Audits are
required even if no longer issuing - Clarify that audits are required until
the CA certificate is revoked, expired, or removed. Related to Issue #153.
10/6/2020; no comments yet
#147 <https://github.com/mozilla/pkipolicy/issues/147> - Require EV audits
for certificates capable of issuing EV certificates – Clarify that EV
audits are required for all intermediate certificates that are technically
capable of issuing EV certificates, even when not currently issuing EV
certificates.
10/6/2020; no comments yet
#152 <https://github.com/mozilla/pkipolicy/issues/152> - Add EV Audit
exception for Policy Constraints – leaf certificates do not receive EV
treatment unless signed by an intermediate CA with EV OID or anyPolicy OID,
therefore they can be excluded from EV audits.
10/15/2020; comments
#153 <https://github.com/mozilla/pkipolicy/issues/153> – Cradle-to-Grave
Contiguous Audits – Specify the audits that are required from Root key
generation ceremony until expiration or removal from Mozilla’s root store.
Related to Issue #139.
10/15/2020; comments
#154 <https://github.com/mozilla/pkipolicy/issues/154> - Require Management
Assertions to list Non-compliance – Add to MRSP 2.4 “If being audited to
the WebTrust criteria, the Management Assertion letter MUST include all
known incidents that occurred or were still open/unresolved at any time
during the audit period.”
10/22/2020; no comments yet
#173 <https://github.com/mozilla/pkipolicy/issues/173> - Strengthen
requirement for newly included roots to meet all past and present
requirements – Add language to MRSP 7.1 so that it is clear that before
being included CAs must comply and have complied with past and present
Mozilla Root Store Policy and Baseline Requirements.
10/28/2020; no comments yet
#186 <https://github.com/mozilla/pkipolicy/issues/186> - Clarify MRSP 5.3
Requirement to Disclose Self-signed Certificates – Clarify that self-signed
certificates with the same key pair as an existing root meets MRSP 5.3’s
definition of an intermediate certificate that must be disclosed in the
CCADB.
10/28/2020; comments
#187 <https://github.com/mozilla/pkipolicy/issues/187> - Require disclosure
of incidents in Audit Reports – To MRSP 3.1.4 “The publicly-available
documentation relating to each audit MUST contain at least the following
clearly-labelled information: “ add “11. all incidents (as defined in
section 2.4) that occurred or were still open/unresolved at any time during
the audit period, or a statement that the auditor is unaware of any;”
10/22/2020; comments
#192 <https://github.com/mozilla/pkipolicy/issues/192> - Require
information about auditor qualifications in the audit report – Require
audit statements to be accompanied by documentation of the auditor’s
qualifications demonstrating the auditor’s competence and experience.
11/3/2020; comments
#205 <https://github.com/mozilla/pkipolicy/issues/205> - Require CAs to
publish accepted methods for proving key compromise – Require CAs to
disclose their acceptable methods for proving key compromise in section
4.9.12 of their CPS.
11/5/2020; no comments yet
#206 <https://github.com/mozilla/pkipolicy/issues/206> - Limit re-use of
domain name verification to 395 days – Amend item 5 in MRSP 2.1 with “and
verify ownership/control of each dNSName and iPAddress in the certificate's
subjectAltName at intervals of 398 days or less;”
Not sent to m.d.s.p. list yet
#207 <https://github.com/mozilla/pkipolicy/issues/207> - Require audit
statements to provide information about which CA Locations were and were
not audited, and the extent to which they were (or were not) audited
Not sent to m.d.s.p. list yet
#211 <https://github.com/mozilla/pkipolicy/issues/211> - Align OCSP
requirements in Mozilla's policy with the section 4.9.10 of the Baseline
Requirements
Not sent to m.d.s.p. list yet
#218 <https://github.com/mozilla/pkipolicy/issues/218> Clarify CRL
requirements for End Entity Certificates – For CRLite, Mozilla would like
to ensure that it has full lists of revoked certificates. If the CA uses
partial CRLs, then require CAs to provide the URL location of their full
and complete CRL in the CCADB.
Not sent to m.d.s.p. list yet
comments on issues 139, 147, 154, 173, or 205.
I have not sent an email out yet for issues 206, 207, 211 or 218.
*Issue*
*When Announced; Status*
#139 <https://github.com/mozilla/pkipolicy/issues/139> - Audits are
required even if no longer issuing - Clarify that audits are required until
the CA certificate is revoked, expired, or removed. Related to Issue #153.
10/6/2020; no comments yet
#147 <https://github.com/mozilla/pkipolicy/issues/147> - Require EV audits
for certificates capable of issuing EV certificates – Clarify that EV
audits are required for all intermediate certificates that are technically
capable of issuing EV certificates, even when not currently issuing EV
certificates.
10/6/2020; no comments yet
#152 <https://github.com/mozilla/pkipolicy/issues/152> - Add EV Audit
exception for Policy Constraints – leaf certificates do not receive EV
treatment unless signed by an intermediate CA with EV OID or anyPolicy OID,
therefore they can be excluded from EV audits.
10/15/2020; comments
#153 <https://github.com/mozilla/pkipolicy/issues/153> – Cradle-to-Grave
Contiguous Audits – Specify the audits that are required from Root key
generation ceremony until expiration or removal from Mozilla’s root store.
Related to Issue #139.
10/15/2020; comments
#154 <https://github.com/mozilla/pkipolicy/issues/154> - Require Management
Assertions to list Non-compliance – Add to MRSP 2.4 “If being audited to
the WebTrust criteria, the Management Assertion letter MUST include all
known incidents that occurred or were still open/unresolved at any time
during the audit period.”
10/22/2020; no comments yet
#173 <https://github.com/mozilla/pkipolicy/issues/173> - Strengthen
requirement for newly included roots to meet all past and present
requirements – Add language to MRSP 7.1 so that it is clear that before
being included CAs must comply and have complied with past and present
Mozilla Root Store Policy and Baseline Requirements.
10/28/2020; no comments yet
#186 <https://github.com/mozilla/pkipolicy/issues/186> - Clarify MRSP 5.3
Requirement to Disclose Self-signed Certificates – Clarify that self-signed
certificates with the same key pair as an existing root meets MRSP 5.3’s
definition of an intermediate certificate that must be disclosed in the
CCADB.
10/28/2020; comments
#187 <https://github.com/mozilla/pkipolicy/issues/187> - Require disclosure
of incidents in Audit Reports – To MRSP 3.1.4 “The publicly-available
documentation relating to each audit MUST contain at least the following
clearly-labelled information: “ add “11. all incidents (as defined in
section 2.4) that occurred or were still open/unresolved at any time during
the audit period, or a statement that the auditor is unaware of any;”
10/22/2020; comments
#192 <https://github.com/mozilla/pkipolicy/issues/192> - Require
information about auditor qualifications in the audit report – Require
audit statements to be accompanied by documentation of the auditor’s
qualifications demonstrating the auditor’s competence and experience.
11/3/2020; comments
#205 <https://github.com/mozilla/pkipolicy/issues/205> - Require CAs to
publish accepted methods for proving key compromise – Require CAs to
disclose their acceptable methods for proving key compromise in section
4.9.12 of their CPS.
11/5/2020; no comments yet
#206 <https://github.com/mozilla/pkipolicy/issues/206> - Limit re-use of
domain name verification to 395 days – Amend item 5 in MRSP 2.1 with “and
verify ownership/control of each dNSName and iPAddress in the certificate's
subjectAltName at intervals of 398 days or less;”
Not sent to m.d.s.p. list yet
#207 <https://github.com/mozilla/pkipolicy/issues/207> - Require audit
statements to provide information about which CA Locations were and were
not audited, and the extent to which they were (or were not) audited
Not sent to m.d.s.p. list yet
#211 <https://github.com/mozilla/pkipolicy/issues/211> - Align OCSP
requirements in Mozilla's policy with the section 4.9.10 of the Baseline
Requirements
Not sent to m.d.s.p. list yet
#218 <https://github.com/mozilla/pkipolicy/issues/218> Clarify CRL
requirements for End Entity Certificates – For CRLite, Mozilla would like
to ensure that it has full lists of revoked certificates. If the CA uses
partial CRLs, then require CAs to provide the URL location of their full
and complete CRL in the CCADB.
Not sent to m.d.s.p. list yet
0 new messages