On 8/24/15 5:53 AM, Gervase Markham wrote:
Hi Kathleen,
On 20/08/15 19:12, Kathleen Wilson wrote:
It's time to begin discussions about updating Mozilla's CA Certificate
Policy.
Great :-)
A list of the things to consider changing is here:
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
How do you want to deal with this list? Is it "default-do" or
"default-don't-do"? That is, should I spend my time arguing for the
changes I would like to see, arguing against the changes I think are
bogus, or a combination of the two?
I will open a separate discussion thread for each item, beginning with
"1. Clean up the "Other considerations when updating the CA Certificate
Policy" section of the Potentially Problematic Practices page. i.e.
figure out which items should be put directly into Mozilla's CA
Certificate Policy."
At that point, you can argue for/against it.
Please review the list to let me know if there are any topics missing.
I've updated the list so that the topics are numbered, which should
hopefully help discussion.
Thanks.
To start with, I would like to make the following changes, so please
reply soon if you foresee any problems with these:
Do you anticipate making all the changes in one batch, or do you think
you might do a 2.3 with the below changes, and a 2.4 with some other
changes which require more discussion?
I am considering doing it all in one batch, but that can change.
I am also considering using GitHub to track the changes as we complete
each discussion.
2) Update item #12 of the Inclusion Policy to refer to a more recent
version of the CA/Browser Forum Baseline Requirements. And add "or
later" to the BR version number.
Which version number should I use?
Whichever version is current at the time you issue the new policy.
But do we have a plan to give CAs a timeframe to come into compliance?
When we release the new version of the policy, I will also provide a
wiki page with guidance and time frames for CAs to get into compliance.
e.g. https://wiki.mozilla.org/CA:CertificatePolicyV2.2
If you add "or later", does that mean that CAs must comply with at least
the version number given but may, at their option, comply with a later
version?
That is my intent. I do not want to have to update Mozilla's CA Cert
Policy every time the BRs are updated, but I don't want to limit the CAs
to an old version for the BRs either.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
