Corey,
We will add this to the 2.7.1 batch of proposed changes. I've started
discussion of Issue 147, so we can discuss it there, or I can create a
separate email thread for it.

On Fri, Oct 2, 2020 at 5:16 AM Corey Bonnell <cbonn...@outlook.com> wrote:

> Including https://github.com/mozilla/pkipolicy/issues/152 would be a
> useful clarification alongside issue 147, as it will better define the
> parameters that determine if a given intermediate is “EV capable”.
>
> Thanks,
> Corey
> ------------------------------
> *From:* dev-security-policy <dev-security-policy-boun...@lists.mozilla.org>
> on behalf of Ben Wilson via dev-security-policy <
> dev-security-policy@lists.mozilla.org>
> *Sent:* Thursday, October 1, 2020 4:21:48 PM
> *To:* mozilla-dev-security-policy <
> mozilla-dev-security-pol...@lists.mozilla.org>
> *Subject:* Policy 2.7.1 Issues to be Considered
>
> Below is a list of issues that I propose be addressed in the next version
> (2.7.1) of the Mozilla Root Store Policy (MRSP). There are currently 73
> issues related to the MRSP listed here:
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279585097&amp;sdata=GZ8%2F%2FJg0sa%2FKAPcRes4w1tWPtQrXfd3xAdjoEY62gBQ%3D&amp;reserved=0.
> So far, I have identified 13
> items to consider for this policy update; which are tagged as v.2.7.1 in
> GitHub (
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Flabels%2F2.7.1&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279585097&amp;sdata=fNzV%2FEjnNTWKsA%2BNMJo08ESzNttlkIHINUr23jRy%2F5E%3D&amp;reserved=0).
> I will
> appreciate your input on this list as to whether there are issues that
> should be added or removed. Then, based on the list, I will start a
> separate discussion thread in mozilla.dev.security.policy for each issue.
>
> #139 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F139&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279585097&amp;sdata=7xarPFNWPfgfEcddgA%2BsVk23dViiNv9QRxpEoqjp1vk%3D&amp;reserved=0>
> - Audits are
> required even if no longer issuing - Clarify that audits are required until
> the CA certificate is revoked, expired, or removed. Related to Issue #153.
>
> #147 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F147&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&amp;sdata=kt7ywgVE5S6VqWB47cNsTf943OyNzdtSEbqA14%2F4TYo%3D&amp;reserved=0>
> - Require EV audits
> for certificates capable of issuing EV certificates – Clarify that EV
> audits are required for all intermediate certificates that are technically
> capable of issuing EV certificates, even when not currently issuing EV
> certificates.
>
> #153 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F153&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&amp;sdata=FToJiGI1xtCsEBHmmRsB2P%2Fv%2B8SFqze5HouMkmsJ8lc%3D&amp;reserved=0>
> – Cradle-to-Grave
> Contiguous Audits – Specify the audits that are required from Root key
> generation ceremony until expiration or removal from Mozilla’s root store.
> Related to Issue #139.
>
> #154 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F154&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&amp;sdata=qEnD7LC%2FXsEF3Hs7u68fxA4fNAPFaP7rGLox7GvIjn4%3D&amp;reserved=0>
> - Require Management
> Assertions to list Non-compliance – Add to MRSP 2.4 “If being audited to
> the WebTrust criteria, the Management Assertion letter MUST include all
> known incidents that occurred or were still open/unresolved at any time
> during the audit period.”
>
> #173 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F173&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&amp;sdata=THxcETFV6slWGx4h3Y9E9l4OVcRvCf43iPjtoqqpIzc%3D&amp;reserved=0>
> - Strengthen
> requirement for newly included roots to meet all past and present
> requirements – Add language to MRSP 7.1 so that it is clear that before
> being included CAs must comply and have complied with past and present
> Mozilla Root Store Policy and Baseline Requirements.
>
> #186 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F186&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&amp;sdata=dh6vJtrZyl627lpZkxM9yracHtNbZQ4T1G9cP4tmh6U%3D&amp;reserved=0>
> - Clarify MRSP 5.3
> Requirement to Disclose Self-signed Certificates – Clarify that self-signed
> certificates with the same key pair as an existing root meets MRSP 5.3’s
> definition of an intermediate certificate that must be disclosed in the
> CCADB.
>
> #187 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F187&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&amp;sdata=F7DOhUVmT5K7hlZgWlHNaWmKxwNXSERT%2BTY4ire73Ys%3D&amp;reserved=0>
> - Require disclosure
> of incidents in Audit Reports –  To MRSP 3.1.4 “The publicly-available
> documentation relating to each audit MUST contain at least the following
> clearly-labelled information: “ add “11. all incidents (as defined in
> section 2.4) that occurred or were still open/unresolved at any time during
> the audit period, or a statement that the auditor is unaware of any;”
>
> #192 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F192&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&amp;sdata=nntLfIfhi8Kdkk1WG5RhIMbmReNGkpVMzjzMhTlgmDc%3D&amp;reserved=0>
> - Require
> information about auditor qualifications in the audit report – Require
> audit statements to be accompanied by documentation of the auditor’s
> qualifications demonstrating the auditor’s competence and experience.
>
> #205 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F205&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&amp;sdata=8Cr3PP7Qf2g6E%2FPZ1JZJAnG8cc5akuphIoSQPwmXyeg%3D&amp;reserved=0>
> - Require CAs to
> publish accepted methods for proving key compromise – Require CAs to
> disclose their acceptable methods for proving key compromise in section
> 4.9.12 of their CPS.
>
> #206 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F206&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&amp;sdata=Ac8clvkhVFOBb7HKbP64chpEpTZvrK%2BmatwVllKiow0%3D&amp;reserved=0>
> - Limit re-use of
> domain name verification to 395 days – Amend item 5 in MRSP 2.1 with “and
> verify ownership/control of each dNSName and iPAddress in the certificate's
> subjectAltName at intervals of 398 days or less;”
>
> #207 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F207&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&amp;sdata=8w3n%2FWAiCBbvZ73hWm8Hs9Y9rAy0qWgZWYZBiuz2g9c%3D&amp;reserved=0>
> - Require audit
> statements to provide information about which CA Locations were and were
> not audited, and the extent to which they were (or were not) audited
>
> #211 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F211&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&amp;sdata=YBXaWeHPV6Fov6MaIlWq0PVr%2Blh%2FZT21iiZU8GJcpxE%3D&amp;reserved=0>
> - Align OCSP
> requirements in Mozilla's policy with the section 4.9.10 of the Baseline
> Requirements
> #218 <
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F218&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&amp;sdata=W2sIZpCcW5Dv%2B5GbK7PEskjckVACsb9P96QI%2FywB5JI%3D&amp;reserved=0>
> Clarify CRL
> requirements for End Entity Certificates – For CRLite, Mozilla would like
> to ensure that it has full lists of revoked certificates. If the CA uses
> partial CRLs, then require CAs to provide the URL location of their full
> and complete CRL in the CCADB.
>
> Ben Wilson
> Mozilla Root Program Manager
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy&amp;data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&amp;sdata=epO6teU3MyXthk06VJho10TVgSbN7se6%2F%2FM5iHuK96E%3D&amp;reserved=0
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to