On 5/22/15 2:15 PM, Kathleen Wilson wrote:
On 4/7/15 5:31 PM, Richard Barnes wrote:
As noted in our earlier conclusion with regard to CNNIC's status [1], the
CNNIC roots are currently in a partially disabled state, in which
certificates chaining to these roots are only to be accepted if they were
issued before 1 Apr 2015. CNNIC may reapply for full inclusion following
the normal process, along with any additional steps that this community
decides to require of them. The purpose of this thread is to discuss
what
additional steps, if any, we should require.
CNNIC has already provided Mozilla with a list of certificates issued
before 1 Apr 2015. We are working on publishing this list. CNNIC has
also
informed Mozilla that they plan to take the following steps:
<snip>
[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/czwlDNbwHXM/qPcyC_DWlSwJ
[2]
http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html
[3] http://tools.ietf.org/html/rfc6962
Here is my interpretation of the result of this discussion, and what I
should communicate to CNNIC...
CNNIC may re-apply for full inclusion following the normal process,
after they have completed the following additional steps.
1. Provide a list of changes CNNIC has implemented to ensure that there
are no future violations of Mozilla Policy and the Baseline Requirements.
2. Improve CNNIC’s process for authorizing intermediate CAs, and fully
document this improved process in the CP/CPS.
3. Include in this year's WebTrust audit an explicit confirmation by the
auditor that these changes have been implemented and enforced.
4. Provide auditor attestation that a full performance audit has been
performed confirming BR compliance according to
https://wiki.mozilla.org/CA:BaselineRequirements
5. April 1, 2016 is the earliest date at which CNNIC may apply for full
inclusion, so SSL certificates issued after Apr 1 2015 for new domains
will be recognized.
Please reply if I've missed anything that needs to be added to this list.
Thanks,
Kathleen
Thanks to all of you for your input on this. To summarize...
Re-write item #5, to:
"April 1, 2016 is the earliest date at which CNNIC may apply for full
inclusion. If approved, we will remove the restriction currently in
place on their SSL certificates issued after Apr 1 2015. If denied, we
will remove the CNNIC root certificates from NSS."
CT -- Continued discussion about whether Mozilla should require CNNIC to
implement CT. I've decided that I will not require this of CNNIC before
they may re-apply. While I am completely in favor of transparency, there
are still questions about the implementation details that are being
discussed elsewhere.
New root cert -- Gerv's argument on June 11 against requiring CNNIC to
re-apply with a new root cert resonated with me. So I am not going to
add this requirement.
Therefore, the result of this discussion is as follows:
==
CNNIC may re-apply for full inclusion following the normal process,
after they have completed the following additional steps.
1. Provide a list of changes CNNIC has implemented to ensure that there
are no future violations of Mozilla Policy and the Baseline Requirements.
2. Improve CNNIC’s process for authorizing intermediate CAs, and fully
document this improved process in the CP/CPS.
3. Include in this year's WebTrust audit an explicit confirmation by the
auditor that these changes have been implemented and enforced.
4. Provide auditor attestation that a full performance audit has been
performed confirming BR compliance according to
https://wiki.mozilla.org/CA:BaselineRequirements
5. April 1, 2016 is the earliest date at which CNNIC may apply for full
inclusion. If approved, we will remove the restriction currently in
place on their SSL certificates issued after Apr 1 2015. If denied, we
will remove the CNNIC root certificates from NSS.
==
Please reply if you see any errors in this. Otherwise, I will close this
discussion and communicate this to CNNIC.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
