Gerv, Moving to a new CA within 6 months is certain reasonable, but having enterprise customers also replace all certificates so the CA can be revoked within 6 months might be a bit short, especially since several of those months are over the holidays. Would you consider an approach were the CAs MUST not issue new certificates after 15 November (4 months) and the CAs SHALL be revoked no later than 15 April (9 months)?
Doug > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > [email protected]] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Thursday, June 22, 2017 8:50 AM > To: [email protected] > Subject: Re: Root Store Policy 2.5: Call For Review and Phase-In Periods > > On 21/06/17 16:58, Doug Beattie wrote: > >> It's worth noting that if we had discovered this situation for SSL - > >> that an unconstrained intermediate or uncontrolled power of issuance > >> had been given to a company with no audit - we would be requiring the > >> intermediate be revoked today, and probably taking further action as well. > > > > Agree > > After consultation, I have decided to implement this requirement with a > phase-in period of six months, for already-existing intermediates. So before > 15th January 2018 (add a bit because of Christmas) these customers, and any > others like them at any other CA, need to have audits (over at least 30 days > of > operations), move to a name-constrained intermediate, or move to a > managed service which does domain ownership validation on each domain > added to the system. I expect these two intermediates to be revoked on or > before 15th January 2018. > > I realise this is not what you were hoping for, but it's not reasonable to > leave > unconstrained intermediates in the hands of those not qualified to hold them > for a further 2 years. I am allowing six months because, despite the weakness > of the previous controls, you were in compliance with them and so it's not > reasonable to ask for a super-quick move. > > https://github.com/mozilla/pkipolicy/commit/44ae763f24d6509bb2311d339 > 50108ec5ec87082 > > (ignore the erroneously-added logfile). > > > Are there any other CAs or mail vendors that have tested name constrained > issuing CAs? If using name constrained CAs don’t work with some or all of the > mail applications, it seems like we might as well recommend a change to the > requirement. > > I am open to hearing further evidence on this point. > > Gerv > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
