On 3/15/16 5:16 AM, Gervase Markham wrote: >> This survey requests a set of actions on your behalf, as a >> participant in Mozilla's CA Certificate Program by [DATE TBD]. > > In general, I think that dates should be set the same distance in the > future as previous CA communications. It seems that most CAs have not > had a problem complying with the previous timelines we have set. In the > past, we've given them 3 weeks to respond - that seems plenty. > > Some of the items have individual response deadlines, and there is a > master response deadline here at the top. If we have both, we need to be > clear on how they relate. >
Updated. I've used April 22, 2016, as the date by which CAs must respond to the communication, assuming I get it sent by the end of March. > >> To respond to this survey, please login to the CA Community in >> Salesforce, click on the 'CA Communications (Page)' tab, and select >> the 'March 2016 CA Communication' survey. Please enter your initial >> response by [DATE TBD]. After that, you may update your responses >> until the survey Expiration Date of [TBD], by following these same >> steps. > > I don't think it's necessary to have different initial response and > final response dates. We should just have a response date, noting that > CAs can update their answers. > OK. Expiration date info removed. >> ACTION #1a: As previously communicated, CAs should no longer be >> issuing SHA-1 certificates chaining up to root certificates included >> in Mozilla's CA Certificate Program. Check your systems and those of >> your subordinate CAs to ensure that SHA-1 certificates chaining up to >> your included root certificates are no longer being issued. Please >> enter the last date that a SHA-1 certificate was issued that chained >> up to your root certificate(s) included in Mozilla's program. >> (Required) > > This is one overall date, not one date per root, right? Correct, one overall date. It now says: "... Please enter the last date that a SHA-1 based TLS/SSL certificate was issued that chained up to your root certificates included in Mozilla's program." OK? > >> ACTION #1b: Enter the date when all of the SHA-1 certificates that >> chain up to your root certificate(s) included in Mozilla's CA >> Certificate Program will either expire or be revoked. As previously >> communicated we plan to show the "Untrusted Connection" error >> whenever a SHA-1 certificate is encountered in Firefox after January >> 1, 2017. (Required) > > Again, this is one overall date, not one per root? Correct. It now says: "ACTION #1b: Enter the date when all of the SHA-1 based TLS/SSL certificates that chain up to your root certificates included in Mozilla's CA Certificate Program will either expire or be revoked. As previously communicated we plan to show the "Untrusted Connection" error whenever a SHA-1 certificate is encountered in Firefox after January 1, 2017. (Required)" OK? > >> ACTION #1c: Enter the date by which safeguards will be put into place >> that will prevent the future issuance of SHA-1 certificates that >> chain up to your root certificate(s) included in Mozilla's CA >> Certificate Program. If you have already completed this, then please >> enter the approximate date when those safeguards were completed. >> (Required) > > Are we requiring such safeguards? If not, then there needs to be a "not > implemented" option. If so, then we need to be clearer about explaining > where we promulgated that requirement. I am not aware of requirements about putting safeguards in place. How about if I delete action 1c, and add the following sentence to action 1b? "We recommend that you put safeguards into place that will prevent the future issuance of SHA-1 based TLS/SSL and S/MIME certificates and SHA-1 based intermediate certificates that chain up to your root certificates included in Mozilla's CA Certificate Program." > >> ACTION #5: Review the root certificates that you currently have >> included in Mozilla's CA Certificate Program, and let us know which >> of your root certificates may be removed, and when. > > I would say "whether any of them can now be removed or could be removed > in the next year and, if so, when." > Updated. Now it says: "ACTION #5: Review the root certificates that you currently have included in Mozilla's CA Certificate Program, and let us know whether any of them can now be removed or could be removed in the next year and, if so, when. For instance, if you have old root certificates that are being replaced by newer root certificates, indicate when you expect to finish migrating your customers to the new root certificates. Provide the Issuer Field and SHA-256 Fingerprint of each root certificate that may be removed, and the date when the root certificate may be removed. (Required)" >> Review your policies, procedures, and auditing about issuance of test >> certificates, what domain names may be used in test certificates, and >> the domain verification procedures that must be followed for test >> certificates. > > This is merely a requirement to review, not a question to answer. Is > that intentional? > >> [TBD] What else should we say here? -- What sort of responses to we >> want from CAs? -- Rules about testing and test certs (per Symantec >> incident) -- What sorts of things do we want to make sure CAs do and >> don't do regarding testing? (Required) > > We could simply get an "I confirm that I understand that all > certificates issued, without exception, must conform to the Mozilla > policy requirements" checkbox. Updated as follows: "ACTION #6: All certificates that directly or transitively chain to your root certificates included in Mozilla's CA Certificate Program must comply with Mozilla's CA Certificate Policy. This includes test certificates. Review your policies, procedures, and auditing about issuance of test certificates, what domain names may be used in test certificates, and the domain verification procedures that must be followed for test certificates. (Required) [checkbox] ACTION #6: All certificates that directly or transitively chain to your root certificates included in Mozilla's CA Certificate Program must comply with Mozilla's CA Certificate Policy. This includes test certificates. Review your policies, procedures, and auditing about issuance of test certificates, what domain names may be used in test certificates, and the domain verification procedures that must be followed for test certificates. (Required) [checkbox] I confirm that I understand that issuance of TLS/SSL certificates chaining up root certificates included in Mozilla's CA Certificate Program, without exception, must conform to Mozilla's CA Certificate Policy and the domain validation procedures documented in our CP/CPS." OK? Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
