Ben,

When, approximately, do you think this proposed updates would become effective, 
and specifically this item:

   https://github.com/mozilla/pkipolicy/issues/206

Doug

-----Original Message-----
From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On 
Behalf Of Ben Wilson via dev-security-policy
Sent: Thursday, October 1, 2020 4:22 PM
To: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Policy 2.7.1 Issues to be Considered

Below is a list of issues that I propose be addressed in the next version
(2.7.1) of the Mozilla Root Store Policy (MRSP). There are currently 73 issues 
related to the MRSP listed here:
https://github.com/mozilla/pkipolicy/issues. So far, I have identified 13 items 
to consider for this policy update; which are tagged as v.2.7.1 in GitHub 
(https://github.com/mozilla/pkipolicy/labels/2.7.1). I will appreciate your 
input on this list as to whether there are issues that should be added or 
removed. Then, based on the list, I will start a separate discussion thread in 
mozilla.dev.security.policy for each issue.

#139 <https://github.com/mozilla/pkipolicy/issues/139> - Audits are required 
even if no longer issuing - Clarify that audits are required until the CA 
certificate is revoked, expired, or removed. Related to Issue #153.

#147 <https://github.com/mozilla/pkipolicy/issues/147> - Require EV audits for 
certificates capable of issuing EV certificates – Clarify that EV audits are 
required for all intermediate certificates that are technically capable of 
issuing EV certificates, even when not currently issuing EV certificates.

#153 <https://github.com/mozilla/pkipolicy/issues/153> – Cradle-to-Grave 
Contiguous Audits – Specify the audits that are required from Root key 
generation ceremony until expiration or removal from Mozilla’s root store.
Related to Issue #139.

#154 <https://github.com/mozilla/pkipolicy/issues/154> - Require Management 
Assertions to list Non-compliance – Add to MRSP 2.4 “If being audited to the 
WebTrust criteria, the Management Assertion letter MUST include all known 
incidents that occurred or were still open/unresolved at any time during the 
audit period.”

#173 <https://github.com/mozilla/pkipolicy/issues/173> - Strengthen requirement 
for newly included roots to meet all past and present requirements – Add 
language to MRSP 7.1 so that it is clear that before being included CAs must 
comply and have complied with past and present Mozilla Root Store Policy and 
Baseline Requirements.

#186 <https://github.com/mozilla/pkipolicy/issues/186> - Clarify MRSP 5.3 
Requirement to Disclose Self-signed Certificates – Clarify that self-signed 
certificates with the same key pair as an existing root meets MRSP 5.3’s 
definition of an intermediate certificate that must be disclosed in the CCADB.

#187 <https://github.com/mozilla/pkipolicy/issues/187> - Require disclosure of 
incidents in Audit Reports –  To MRSP 3.1.4 “The publicly-available 
documentation relating to each audit MUST contain at least the following 
clearly-labelled information: “ add “11. all incidents (as defined in section 
2.4) that occurred or were still open/unresolved at any time during the audit 
period, or a statement that the auditor is unaware of any;”

#192 <https://github.com/mozilla/pkipolicy/issues/192> - Require information 
about auditor qualifications in the audit report – Require audit statements to 
be accompanied by documentation of the auditor’s qualifications demonstrating 
the auditor’s competence and experience.

#205 <https://github.com/mozilla/pkipolicy/issues/205> - Require CAs to publish 
accepted methods for proving key compromise – Require CAs to disclose their 
acceptable methods for proving key compromise in section
4.9.12 of their CPS.

#206 <https://github.com/mozilla/pkipolicy/issues/206> - Limit re-use of domain 
name verification to 395 days – Amend item 5 in MRSP 2.1 with “and verify 
ownership/control of each dNSName and iPAddress in the certificate's 
subjectAltName at intervals of 398 days or less;”

#207 <https://github.com/mozilla/pkipolicy/issues/207> - Require audit 
statements to provide information about which CA Locations were and were not 
audited, and the extent to which they were (or were not) audited

#211 <https://github.com/mozilla/pkipolicy/issues/211> - Align OCSP 
requirements in Mozilla's policy with the section 4.9.10 of the Baseline 
Requirements
#218 <https://github.com/mozilla/pkipolicy/issues/218> Clarify CRL requirements 
for End Entity Certificates – For CRLite, Mozilla would like to ensure that it 
has full lists of revoked certificates. If the CA uses partial CRLs, then 
require CAs to provide the URL location of their full and complete CRL in the 
CCADB.

Ben Wilson
Mozilla Root Program Manager
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to