On 4/28/14, 12:04 PM, Kathleen Wilson wrote:
All,
Here is a DRAFT CA Communication that I would like to send next week. I
will greatly appreciate your thoughtful and constructive feedback on it.
All,
I have moved the draft of the CA Communication to the wiki page:
https://wiki.mozilla.org/CA:Communications
It is still open for discussion and it is still “DRAFT”, so may be modified.
If I send the communication on May 12, should I request that CAs respond
by May 30?
(I’d like a response relatively soon, but I understand that many CAs
were impacted by heartbleed.)
In regards to action #5, I think we need to add another option to allow
CAs to specify if they have certain subordinate CAs who aren’t quite
ready to move off of their legacy systems for reasons such as: the
migration to their new system is taking longer than expected; or need to
operate their legacy subCAs a little longer to avoid service disruption.
My goal is to move things in the right direction, I am OK with granting
extensions to subordinate CAs who can demonstrate that they have been
working towards the deadline, and explain why they need a little more time.
Therefore, I propose adding an option “C”, as follows.
--
5) Send Mozilla information about your publicly disclosed intermediate
certificates that chain up to certificates in Mozilla's CA program, as
per Items #8, 9, and 10 of Mozilla's CA Certificate Inclusion Policy.
Please respond with one of the following:
A) All intermediate certificates chaining up to our certificates in
Mozilla's CA program are either included in our annual audits and listed
in our annual audit statements, or are technically constrained according
to section 9 of Mozilla's CA Certificate Inclusion Policy.
B) The required information, according to section 10 of Mozilla's CA
Certificate Inclusion Policy, is available here: <URL to a web page, or
Bugzilla Bug Number>.
C) We request an extension for specific subordinate CAs who need more
time to transition from their legacy systems to their new CA hierarchy.
For the subordinate CAs who were able to meet the deadline, the required
information, according to section 10 of Mozilla's CA Certificate
Inclusion Policy, is available here: <URL to a web page, or Bugzilla Bug
Number>. For each subordinate CA who needs to operate in their legacy
design a little longer, the attached document explains the reason that
continued operation is needed and their target date for resolution.
<attach document(s) to response>
--
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
