All,
I would like to start drafting the next CA Communication, with the goal
of sending it around the end of February.
For reference, previous CA Communications are here:
https://wiki.mozilla.org/CA:Communications
I think the following items should be in this upcoming communication.
~~
- Have CAs check their included roots, and let us know which of their
roots may be removed (and when). They can do this via Salesforce or via
the reports generated by Salesforce -
https://wiki.mozilla.org/CA:IncludedCAs
- SHA-1 -- CAs need to check their and their subCA systems and put
safeguards in place to ensure they cannot issue SHA-1 SSL/TLS certs
chaining up to their included root certs.
- mozpkix - Things for CAs to Fix
(https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix)
status update
-- Notice of previously allowed certs that are going to break in Firefox
49 if the CA hasn't fixed them -- such certs will be rejected.
https://wiki.mozilla.org/SecurityEngineering/Removing_Compatibility_Workarounds_in_mozilla::pkix
- Rules about testing and test certs (per Symantec incident)
-- What sorts of things do we want to make sure CAs do and don't do
regarding testing?
- CA Community in Salesforce
-- https://wiki.mozilla.org/CA:SalesforceCommunity
-- Need all non-technically-constrained intermediate certs chaining up
to included root certs to be entered into Salesforce by <TBD>.
-- Need all revoked (non-expired) intermediate certs chaining up to
included root certs to be entered into Salesforce by <TBD>.
-- We will expect CAs to continue to update Salesforce as their CA
hierarchies change. This notice is to set some reasonable goals about
when to get the initial data entered.
- Progress on updating Mozilla's CA Certificate Policy
https://wiki.mozilla.org/CA:CertificatePolicyV2.3
[Note to you all: My apologies for letting the policy update discussions
stall. I am hoping to get back to them soon.]
~~
As always, I will appreciate your thoughtful and constructive feedback
on this.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
