All,
It's time to begin discussions about updating Mozilla's CA Certificate
Policy.
The current policy is here:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Inclusion Policy:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
Maintenance Policy:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
A list of the things to consider changing is here:
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
Please review the list to let me know if there are any topics missing.
To start with, I would like to make the following changes, so please
reply soon if you foresee any problems with these:
1) Update BR section numbers to correspond with BR version 1.3 that was
published in April.
https://cabforum.org/wp-content/uploads/RFC3647_Comparison_Table_for_Baseline_Requirements.pdf
Note that this also applies to the process/policy wiki pages.
2) Update item #12 of the Inclusion Policy to refer to a more recent
version of the CA/Browser Forum Baseline Requirements. And add "or
later" to the BR version number.
Which version number should I use?
3) Remove "ISO 21188:2006 Public key infrastructure for financial
services -- Practices and policy framework;" from item #11 of the
Inclusion Policy.
4) In the first bullet point of item #9 of the Maintenance Policy remove
the "after June 30, 2011" and add MD2 and MD4.
Current text: "after June 30, 2011, software published by Mozilla will
return an error when a certificate with an MD5-based signature is used;"
Proposed new text: "software published by Mozilla will return an error
when a certificate with an MD2, MD4, or MD5-based signature is used;"
5) Update the second bullet point of item #9 of the Maintenance Policy.
Current text: "all end-entity certificates with RSA key sizes smaller
than 2048 bits must expire by December 31, 2013;"
Proposed new text: "software published by Mozilla will return an error
when SSL/TLS or Code Signing certificates have RSA key sizes smaller
than 2048 bits."
6) Delete the third bullet point of item #9 of the Maintenance Policy.
Current text: "after December 31, 2013, Mozilla will disable or remove
all root certificates with RSA key sizes smaller than 2048 bits;"
I will greatly appreciate your thoughtful and constructive input as we
consider changes to make to Mozilla's CA Certificate Policy.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
