Mozilla policy requires that certificates issued in contravention of a
CA's CP/CPS should be revoked. Other than that, Mozilla policy does not
directly require that a CA operate in accordance with its CP and CPS. We
require this indirectly because the audits that we require, require it.
This perhaps surprising omission was brought to light by the Let's
Encrypt blocklist incident. Discussion:
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/_pSjsrZrTWY
The proposal is to have Mozilla policy directly require that CAs operate
in accordance with the appropriate CP/CPS for the root(s) in our store
on an ongoing basis.
Specifically, we could add text to the top of section 5.2 ("Forbidden
and Required Practices"):
"CA operations MUST at all times be in accordance with the applicable CP
and CPS."
This is: https://github.com/mozilla/pkipolicy/issues/43
-------
This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.
Policy 2.4.1 (current version):
https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
