Doug, I don't have any preconceived notions. I was hoping that by discussing the implementation issues for each issue we could determine appropriate timeframes. Ben
On Tue, Oct 6, 2020 at 12:19 PM Doug Beattie <doug.beat...@globalsign.com> wrote: > Ben, > > When, approximately, do you think this proposed updates would become > effective, and specifically this item: > > https://github.com/mozilla/pkipolicy/issues/206 > > Doug > > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> > On Behalf Of Ben Wilson via dev-security-policy > Sent: Thursday, October 1, 2020 4:22 PM > To: mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Policy 2.7.1 Issues to be Considered > > Below is a list of issues that I propose be addressed in the next version > (2.7.1) of the Mozilla Root Store Policy (MRSP). There are currently 73 > issues related to the MRSP listed here: > https://github.com/mozilla/pkipolicy/issues. So far, I have identified 13 > items to consider for this policy update; which are tagged as v.2.7.1 in > GitHub (https://github.com/mozilla/pkipolicy/labels/2.7.1). I will > appreciate your input on this list as to whether there are issues that > should be added or removed. Then, based on the list, I will start a > separate discussion thread in mozilla.dev.security.policy for each issue. > > #139 <https://github.com/mozilla/pkipolicy/issues/139> - Audits are > required even if no longer issuing - Clarify that audits are required until > the CA certificate is revoked, expired, or removed. Related to Issue #153. > > #147 <https://github.com/mozilla/pkipolicy/issues/147> - Require EV > audits for certificates capable of issuing EV certificates – Clarify that > EV audits are required for all intermediate certificates that are > technically capable of issuing EV certificates, even when not currently > issuing EV certificates. > > #153 <https://github.com/mozilla/pkipolicy/issues/153> – Cradle-to-Grave > Contiguous Audits – Specify the audits that are required from Root key > generation ceremony until expiration or removal from Mozilla’s root store. > Related to Issue #139. > > #154 <https://github.com/mozilla/pkipolicy/issues/154> - Require > Management Assertions to list Non-compliance – Add to MRSP 2.4 “If being > audited to the WebTrust criteria, the Management Assertion letter MUST > include all known incidents that occurred or were still open/unresolved at > any time during the audit period.” > > #173 <https://github.com/mozilla/pkipolicy/issues/173> - Strengthen > requirement for newly included roots to meet all past and present > requirements – Add language to MRSP 7.1 so that it is clear that before > being included CAs must comply and have complied with past and present > Mozilla Root Store Policy and Baseline Requirements. > > #186 <https://github.com/mozilla/pkipolicy/issues/186> - Clarify MRSP 5.3 > Requirement to Disclose Self-signed Certificates – Clarify that self-signed > certificates with the same key pair as an existing root meets MRSP 5.3’s > definition of an intermediate certificate that must be disclosed in the > CCADB. > > #187 <https://github.com/mozilla/pkipolicy/issues/187> - Require > disclosure of incidents in Audit Reports – To MRSP 3.1.4 “The > publicly-available documentation relating to each audit MUST contain at > least the following clearly-labelled information: “ add “11. all incidents > (as defined in section 2.4) that occurred or were still open/unresolved at > any time during the audit period, or a statement that the auditor is > unaware of any;” > > #192 <https://github.com/mozilla/pkipolicy/issues/192> - Require > information about auditor qualifications in the audit report – Require > audit statements to be accompanied by documentation of the auditor’s > qualifications demonstrating the auditor’s competence and experience. > > #205 <https://github.com/mozilla/pkipolicy/issues/205> - Require CAs to > publish accepted methods for proving key compromise – Require CAs to > disclose their acceptable methods for proving key compromise in section > 4.9.12 of their CPS. > > #206 <https://github.com/mozilla/pkipolicy/issues/206> - Limit re-use of > domain name verification to 395 days – Amend item 5 in MRSP 2.1 with “and > verify ownership/control of each dNSName and iPAddress in the certificate's > subjectAltName at intervals of 398 days or less;” > > #207 <https://github.com/mozilla/pkipolicy/issues/207> - Require audit > statements to provide information about which CA Locations were and were > not audited, and the extent to which they were (or were not) audited > > #211 <https://github.com/mozilla/pkipolicy/issues/211> - Align OCSP > requirements in Mozilla's policy with the section 4.9.10 of the Baseline > Requirements > #218 <https://github.com/mozilla/pkipolicy/issues/218> Clarify CRL > requirements for End Entity Certificates – For CRLite, Mozilla would like > to ensure that it has full lists of revoked certificates. If the CA uses > partial CRLs, then require CAs to provide the URL location of their full > and complete CRL in the CCADB. > > Ben Wilson > Mozilla Root Program Manager > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy