On 07/03/17 11:37, Gervase Markham wrote: > Here are some proposals for policy change. Please do comment on these or > suggest others.
I can report that at the CAB Forum face-to-face in Raleigh, NC, USA this week, there was broad consensus to draw up a ballot which prevents CAs from (to summarise broadly) outsourcing BR 3.2.2.4 and 3.2.2.5 - domain name and IP address ownership - validation to third parties, and that this restriction would be enacted at the level of the BRs, not the level of Mozilla policy. So I will be working with interested parties from the Forum to draft some wording that achieves that, as there are various cases to consider to make sure we don't forbid certain common and secure activities by accident. This would be stronger than and therefore supercede: > Policy Proposal 1: require all CAs to arrange it so that certs validated > by an RA are issued from one or more intermediates dedicated solely to > that RA, with such intermediates clearly labelled with the name of the > RA in the Subject. Other forms of validation will continue to be outsourceable. Mozilla does not recognise OV certificates, but when it comes to EV, we do need to make sure that any outsourcing is properly audited and those audit findings are properly communicated. How we do this remains an open and difficult question; however, domain/IP ownership validation is so core to a CA's activity that it seems wise to remove it from the scope of this wider problem by banning outsourcing it outright. I will take up the topic of possible action against Symantec in the other thread. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
