I will consider this issue to be resolved by the change I made for issue 113:
https://github.com/mozilla/pkipolicy/commit/55929f58da98a7af08fbf4bc2eb4537991de481b - Wayne On Wed, Apr 4, 2018 at 2:31 PM, Wayne Thayer <wtha...@mozilla.com> wrote: > Last year we held a discussion on this topic [1] that concluded as follows: > > It is true that in the case of a legacy root, creating a new root with a >> cross-sign is not technically all that complex (although it may take >> some time organizationally) and then we could embed that new one. >> >> Given that option, perhaps a blanket statement of BR compliance for all >> unexpired and unrevoked certificates is OK - allowing the CA to choose >> how best to meet the requirement. >> > > I believe that the solution I proposed for issue 113 [2] (Require audits > back to first issuance) also takes care of this issue. Here is what I > proposed: > > In section 2.3 (Baseline Requirements Conformance), add a new bullet that >> states "Before being included, CAs MUST provide evidence that their root >> certificates have, from the time of creation and continually thereafter, >> complied with the then current Mozilla Root Store Policy and CA/Browser >> Forum Baseline Requirements." >> > > Once again, I'd appreciate everyone's input on this topic. > > This is: https://github.com/mozilla/pkipolicy/issues/99 > > [1] https://groups.google.com/forum/#!topic/mozilla.dev. > security.policy/2vBlRyfwxEs > [2] https://groups.google.com/d/msg/mozilla.dev.security. > policy/rR9g5BJ6R8E/TPgol2fcBwAJ > > ------- > > This is a proposed update to Mozilla's root store policy for version > 2.6. Please keep discussion in this group rather than on GitHub. Silence > is consent. > > Policy 2.5 (current version): > https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy