On 5/1/17, Gervase Markham via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
> The last CA Communication laid down our policy of only permitting the 10
> Blessed Methods of domain validation. A CA Communication is an official
> vehicle for Mozilla Policy so this is now policy, but it's not reflected
> in the main policy doc. I was planning to wait until the latest version
> of the BRs had all 10 methods in, but that ballot (ballot 190) seems to
> be taking a bit of time to draft. So perhaps it would be good to add
> language to indicate direction of travel.
>
> This would involve replacing section 2.2.3 of the policy with:
>
> "for a certificate capable of being used for SSL-enabled servers, the CA
> must ensure that the applicant has registered the domain(s) referenced
> in the certificate or has been authorized by the domain registrant to
> act on their behalf. This must be done using one or more of the 10
> methods documented in section 3.2.2.4 of version 1.4.1 (and not any
> other version) of the CA/Browser Forum Baseline Requirements. The CA's
> CP/CPS must clearly specify the procedure(s) that the CA employs, and
> each documented procedure should state which subsection of 3.2.2.4 it is
> complying with. Even if the current version of the BRs contains a method
> 3.2.2.4.11, CAs are not permitted to use this method."

You seem to be replacing a "meets or exceeds" requirement with a
"strictly meets" requirement.

I'd suggest something along the lines of
The CA MUST use one of the allowed methods of domain validation
(<insert reference to the 10 Blessed Methods here>) and, in addition,
MAY use additional and/or stricter methods of domain validation.

In other words, make it clear to an auditor that while the CA must
meet the baseline requirements, it's not an audit failure if they go
above & beyond the minimum requirements of domain validation.

Regards,
Lee



>
> Once the BRs are back to the way they should be, a few edits to this
> para should normalize the situation.
>
> There is a deadline associated with this change of July 21st 2017;
> traditionally, we communicate deadlines for particular requirements
> out-of-band.
>
> This is: https://github.com/mozilla/pkipolicy/issues/77
>
> -------
>
> This is a proposed update to Mozilla's root store policy for version
> 2.5. Please keep discussion in this group rather than on Github. Silence
> is consent.
>
> Policy 2.4.1 (current version):
> https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
> Update process:
> https://wiki.mozilla.org/CA:CertPolicyUpdates 
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to