The Mozilla CA Certificate policy says that all certificates which are capable of being used to issue new certificates must either be technically constrained or be publicly disclosed and audited.
For certificates in the latter category, there are several requirements. I'm hoping to get clarity on two of the requirements. First, the policy says "All disclosure MUST be made freely available and without additional requirements, including, but not limited to, registration, legal agreements, or restrictions on redistribution of the certificates in whole or in part." If I read this very strictly, then all the items being disclosed have to essentially be public domain (Creative Commons Public Domain Declaration or similar), as most any license places requirements on redistribution. However I don't think that is probably the intent of the requirement. Is there a list of what restrictions are acceptable or unacceptable? Second, the policy says an "annual public attestation of conformance to the stated certificate verification requirements and other operational criteria by a competent independent party or parties with access to the details of the subordinate CA’s internal operations" must be provided. I'm not clear on what Mozilla expects here when standing up a new subordinate and disclosing it for the first time. Assuming the operator has an audit program in place, it is possible that it will be 12+ months until they have an opinion from their auditor that calls out the new subordinate (11 months to complete the current period plus up to 60 days to get opinion). Does the operator just provide a link to their current audit opinion and a statement that the new certificate will be included in the audit program? Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
