Last year we held a discussion on this topic [1] that concluded as follows:
It is true that in the case of a legacy root, creating a new root with a > cross-sign is not technically all that complex (although it may take > some time organizationally) and then we could embed that new one. > > Given that option, perhaps a blanket statement of BR compliance for all > unexpired and unrevoked certificates is OK - allowing the CA to choose > how best to meet the requirement. > I believe that the solution I proposed for issue 113 [2] (Require audits back to first issuance) also takes care of this issue. Here is what I proposed: In section 2.3 (Baseline Requirements Conformance), add a new bullet that > states "Before being included, CAs MUST provide evidence that their root > certificates have, from the time of creation and continually thereafter, > complied with the then current Mozilla Root Store Policy and CA/Browser > Forum Baseline Requirements." > Once again, I'd appreciate everyone's input on this topic. This is: https://github.com/mozilla/pkipolicy/issues/99 [1] https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/2vBlRyfwxEs [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/rR9g5BJ6R8E/TPgol2fcBwAJ ------- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
