On Monday, November 7, 2016 at 6:09:39 AM UTC-8, Gervase Markham wrote: > Hi everyone, > > We would like to reinvigorate the process of developing the next version > of Mozilla's root policy. Kathleen has been wrestling with it for some > time now, but her time is limited and her tasks are many. Other > obstructions include the "big bang" model of change we were using, the > lack of collaboration tools, and the method of tracking issues in a big > wiki page.
Thank you, Gerv, for taking this on! > > So, thanks to the magic of pandoc, I have converted the current policy > (version 2.2) to a single Markdown document which now lives here, on the > "2.2" branch: > > https://github.com/mozilla/pkipolicy/blob/2.2/rootstore/policy.md Looks good to me. > > (I know there was another github repo with 2.3 work; I've started over > again because I wanted to start from a clean 2.2, and make it into a > single document from the beginning, for easier diffing. The repo name is > also more generic, leaving room for CT policy and perhaps CCADB policy.) > I have updated the top of https://wiki.mozilla.org/CA:CertificatePolicyV2.3 to point to the new location in github, etc. > It would be useful if people checked it over to make sure I have not > made any mistakes in conversion. The original is here, in four pages: > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Just one minor glitch in the last bullet point of item 11 of the Inclusion policy regarding EV audit criteria. Otherwise, looks good. > Secondly, I have implemented all the agreed decisions from this list: > https://wiki.mozilla.org/CA:CertificatePolicyV2.3 > on top of version 2.2 to make a current draft of version 2.3. I have reviewed https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md and I see all of the expected changes, as per https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Changes_Made_to_DRAFT_Version_2.3 In section 11 the two bullet points regarding ETSI TS 119 411 are out of date. It currently says: "" - Clause 6 “Trust Service Providers practice” in ETSI TS 119 411-1 V1.0.1 or later version Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements (as applicable to the "EVCP" and "EVCP+" certificate policies, DVCP and OVCP certificate policies for publicly trusted certificates - baseline requirements and any of the and any of the "NCP", "NCP+", or "LCP" certificate policies); - Clause 6 “Trust Service Providers practice” in ETSI TS 119 411-2 V2.0.7 or later version Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificates (only applicable to electronic signature certificate issuance; applicable to either “QCP-l” or “QCP-l-qscd“ or “QCP-n” or ‘’QCP-n-qscd’’ or ‘’QCP-w)."" In the BRs it says: "2. A national scheme that audits conformance to ETSI TS 102 042/ ETSI EN 319 411-1;" and references: ETSI EN 319 403, Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment ‐ Requirements for conformity assessment bodies assessing Trust Service Providers. ETSI EN 319 411‐1, Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements > > Reviewing all these changes, they all seem to be sensible updates to > reflect changes elsewhere, or things which are permissive. Kathleen has > also commented elsewhere that people have been permitted to follow what > the 2.3 draft says for some time. Therefore, it seems to me that we > could ship the current draft version as version 2.3 immediately, with > immediate applicability. Diff: > https://github.com/mozilla/pkipolicy/compare/2.2...master That would be great, with the exception of getting the ETSI audit numbers/info updated first -- so I think we need to get https://github.com/mozilla/pkipolicy/issues/3 into this version 2.3. > > We would then start work on 2.4. Does anyone see a problem with that? Sounds good to me. > > Thirdly, I have converted all of the proposed changes from that page > into Github issues in the pkipolicy repository. > https://github.com/mozilla/pkipolicy/issues > Please make sure your favourite issue is present and well-explained, and > file new ones if not. > > Fourthly, I have triaged the issues and marked those I think are urgent > and achievable in a reasonably short time frame with the "2.4" > milestone. That list is here: > https://github.com/mozilla/pkipolicy/milestone/1 That link didn't work for me. Here's the link that works for me: https://github.com/mozilla/pkipolicy/issues?q=is%3Aopen+is%3Aissue+milestone%3A2.4 > > Please dispute my triage, either in or out, here on this list :-) > > So the proposal is to ship the current draft immediately as 2.3, then > implement the urgent changes as soon as possible and ship that as 2.4, > and then retriage the remaining issues to see what to do next. > > Comments, as always, are welcome. Thanks! Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
