In a recent discussion [1] we decided to clarify the audit requirements for new subordinate CA certificates. I’ve drafted a change that requires the new certificate to appear in the next periodic audits and in the CP/CPS prior to issuance:
https://github.com/mozilla/pkipolicy/commit/09867ef4a0db3b1cab162930c0326c84d272ec10 We also discussed requiring root key generation ceremony (RKGC) audit reports, but I have since realized that the BRs (section 6.1.1.1) only require these audit reports for new root certificates. I’m not convinced that we should begin requiring an auditor’s report every time a new subordinate CA certificate is created. I would appreciate everyone's comments on this proposed change. This is: https://github.com/mozilla/pkipolicy/issues/32 [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/CAaC2a2HMiQ/IKimeW4NBgAJ ------- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
