I will consider this issue to be resolved by the change I made for issue


- Wayne

On Wed, Apr 4, 2018 at 2:31 PM, Wayne Thayer <wtha...@mozilla.com> wrote:

> Last year we held a discussion on this topic [1] that concluded as follows:
> It is true that in the case of a legacy root, creating a new root with a
>> cross-sign is not technically all that complex (although it may take
>> some time organizationally) and then we could embed that new one.
>> Given that option, perhaps a blanket statement of BR compliance for all
>> unexpired and unrevoked certificates is OK - allowing the CA to choose
>> how best to meet the requirement.
> I believe that the solution I proposed for issue 113 [2] (Require audits
> back to first issuance) also takes care of this issue. Here is what I
> proposed:
> In section 2.3 (Baseline Requirements Conformance), add a new bullet that
>> states "Before being included, CAs MUST provide evidence that their root
>> certificates have, from the time of creation and continually thereafter,
>> complied with the then current Mozilla Root Store Policy and CA/Browser
>> Forum Baseline Requirements."
> Once again, I'd appreciate everyone's input on this topic.
> This is: https://github.com/mozilla/pkipolicy/issues/99
> [1] https://groups.google.com/forum/#!topic/mozilla.dev.
> security.policy/2vBlRyfwxEs
> [2] https://groups.google.com/d/msg/mozilla.dev.security.
> policy/rR9g5BJ6R8E/TPgol2fcBwAJ
> -------
> This is a proposed update to Mozilla's root store policy for version
> 2.6. Please keep discussion in this group rather than on GitHub. Silence
> is consent.
> Policy 2.5 (current version):
> https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
dev-security-policy mailing list

Reply via email to