On 12/05/2017 15:21, Gervase Markham wrote:
Mozilla policy requires that certificates issued in contravention of a CA's CP/CPS should be revoked. Other than that, Mozilla policy does not directly require that a CA operate in accordance with its CP and CPS. We require this indirectly because the audits that we require, require it. This perhaps surprising omission was brought to light by the Let's Encrypt blocklist incident. Discussion: https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/_pSjsrZrTWYThe proposal is to have Mozilla policy directly require that CAs operate in accordance with the appropriate CP/CPS for the root(s) in our store on an ongoing basis. Specifically, we could add text to the top of section 5.2 ("Forbidden and Required Practices"): "CA operations MUST at all times be in accordance with the applicable CP and CPS."
Perhaps tweak the wording to make the document submitted to the CCADB binding, rather than any CP/CPS published elsewhere.
This is: https://github.com/mozilla/pkipolicy/issues/43 ------- This is a proposed update to Mozilla's root store policy for version 2.5. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.4.1 (current version): https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates
Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
