At the moment, the CAB Forum's Network Security guidelines are audited as part of an SSL BR audit. This means that CAs or sub-CAs which only do email don't technically have to meet them. However, they also have a number of deficiencies, and the CAB Forum is looking at replacing them with something better, ideally maintained by another organization. So just mandating that everyone follow them doesn't seem like the best thing.
Nevertheless, I think it's valuable to make it clear in our policy that all CAs are expected to follow best practices for network security. I suggest this could be done by adding a bullet to section 2.1: "CAs whose certificates are included in Mozilla's root program MUST: .... * follow industry best practice for securing their networks, for example by conforming to the CAB Forum Network Security Guidelines or a successor document;" This provides flexibility in exactly what is done, while making it reasonably clear that leaving systems unpatched for 5 years would not be acceptable. This is: https://github.com/mozilla/pkipolicy/issues/70 ------- This is a proposed update to Mozilla's root store policy for version 2.5. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.4.1 (current version): https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
