On 9/16/15 8:53 PM, David E. Ross wrote:
On 9/15/2015 8:51 AM, Kathleen Wilson wrote [in part]:
Yes. My plan is to publish the DRAFT of version 2.3 of the policy and
list the changes, and then send a CA Communication to be sure they are
all aware of the proposed changes and give them time to respond. So, it
is very possible that a change we make to the DRAFT of version 2.3 of
the policy will need to be re-visited after the CA Communication.
Having said that, it would be easier for me if any such issues are
raised during this discussion. There are CAs who regularly participate
in this discussion forum, so I would very much like to hear from any of
those CAs who actually have customers depending on certs for code
signing purposes chaining up to roots in the NSS root store.
I will ask again: How broadly is this being announced?
It is not currently being broadly announced -- just here, and in
discussions with CAB Forum members. I don't want to go through
press/news stuff for every single item we're going to be discussing. I
prefer to do the broad announcement when we have a full proposed DRAFT
of version 2.3 of the policy. And I expect it will take a few months to
get through all of the topics.
Will a news
release be sent to Slash.dot, ZDNet, or any other external news
services?
When we send the CA Communication for final input on the DRAFT of
version 2.3 of the policy, we will also work with Mozilla communications
folks to share the information with external news services. I'm sure it
will get decent external news attention, as has happened for previous CA
Communications and policy updates.
This proposed change to remove code signing from Mozilla's CA Cert
Policy is just one of the many changes we will be discussing, as per
https://wiki.mozilla.org/CA:CertificatePolicyV2.3
So, the plan is to make all of the proposed changes in the DRAFT of
Version 2.3 based on discussions here, and then when we have a DRAFT
ready for final review we will make it very clear what the proposed
changes are, and make sure it is properly communicated to CAs and
external news services.
Or will this be announced only within Mozilla's media?
When we publish the full DRAFT for final review, then we will work with
Mozilla communications folks to make sure it gets shared in other media
as well.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
