Corey, We will add this to the 2.7.1 batch of proposed changes. I've started discussion of Issue 147, so we can discuss it there, or I can create a separate email thread for it.
On Fri, Oct 2, 2020 at 5:16 AM Corey Bonnell <cbonn...@outlook.com> wrote: > Including https://github.com/mozilla/pkipolicy/issues/152 would be a > useful clarification alongside issue 147, as it will better define the > parameters that determine if a given intermediate is “EV capable”. > > Thanks, > Corey > ------------------------------ > *From:* dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> > on behalf of Ben Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> > *Sent:* Thursday, October 1, 2020 4:21:48 PM > *To:* mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org> > *Subject:* Policy 2.7.1 Issues to be Considered > > Below is a list of issues that I propose be addressed in the next version > (2.7.1) of the Mozilla Root Store Policy (MRSP). There are currently 73 > issues related to the MRSP listed here: > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279585097&sdata=GZ8%2F%2FJg0sa%2FKAPcRes4w1tWPtQrXfd3xAdjoEY62gBQ%3D&reserved=0. > So far, I have identified 13 > items to consider for this policy update; which are tagged as v.2.7.1 in > GitHub ( > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Flabels%2F2.7.1&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279585097&sdata=fNzV%2FEjnNTWKsA%2BNMJo08ESzNttlkIHINUr23jRy%2F5E%3D&reserved=0). > I will > appreciate your input on this list as to whether there are issues that > should be added or removed. Then, based on the list, I will start a > separate discussion thread in mozilla.dev.security.policy for each issue. > > #139 < > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F139&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279585097&sdata=7xarPFNWPfgfEcddgA%2BsVk23dViiNv9QRxpEoqjp1vk%3D&reserved=0> > - Audits are > required even if no longer issuing - Clarify that audits are required until > the CA certificate is revoked, expired, or removed. Related to Issue #153. > > #147 < > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F147&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=kt7ywgVE5S6VqWB47cNsTf943OyNzdtSEbqA14%2F4TYo%3D&reserved=0> > - Require EV audits > for certificates capable of issuing EV certificates – Clarify that EV > audits are required for all intermediate certificates that are technically > capable of issuing EV certificates, even when not currently issuing EV > certificates. > > #153 < > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F153&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=FToJiGI1xtCsEBHmmRsB2P%2Fv%2B8SFqze5HouMkmsJ8lc%3D&reserved=0> > – Cradle-to-Grave > Contiguous Audits – Specify the audits that are required from Root key > generation ceremony until expiration or removal from Mozilla’s root store. > Related to Issue #139. > > #154 < > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F154&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=qEnD7LC%2FXsEF3Hs7u68fxA4fNAPFaP7rGLox7GvIjn4%3D&reserved=0> > - Require Management > Assertions to list Non-compliance – Add to MRSP 2.4 “If being audited to > the WebTrust criteria, the Management Assertion letter MUST include all > known incidents that occurred or were still open/unresolved at any time > during the audit period.” > > #173 < > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F173&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=THxcETFV6slWGx4h3Y9E9l4OVcRvCf43iPjtoqqpIzc%3D&reserved=0> > - Strengthen > requirement for newly included roots to meet all past and present > requirements – Add language to MRSP 7.1 so that it is clear that before > being included CAs must comply and have complied with past and present > Mozilla Root Store Policy and Baseline Requirements. > > #186 < > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F186&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=dh6vJtrZyl627lpZkxM9yracHtNbZQ4T1G9cP4tmh6U%3D&reserved=0> > - Clarify MRSP 5.3 > Requirement to Disclose Self-signed Certificates – Clarify that self-signed > certificates with the same key pair as an existing root meets MRSP 5.3’s > definition of an intermediate certificate that must be disclosed in the > CCADB. > > #187 < > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F187&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=F7DOhUVmT5K7hlZgWlHNaWmKxwNXSERT%2BTY4ire73Ys%3D&reserved=0> > - Require disclosure > of incidents in Audit Reports – To MRSP 3.1.4 “The publicly-available > documentation relating to each audit MUST contain at least the following > clearly-labelled information: “ add “11. all incidents (as defined in > section 2.4) that occurred or were still open/unresolved at any time during > the audit period, or a statement that the auditor is unaware of any;” > > #192 < > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F192&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=nntLfIfhi8Kdkk1WG5RhIMbmReNGkpVMzjzMhTlgmDc%3D&reserved=0> > - Require > information about auditor qualifications in the audit report – Require > audit statements to be accompanied by documentation of the auditor’s > qualifications demonstrating the auditor’s competence and experience. > > #205 < > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F205&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279595092&sdata=8Cr3PP7Qf2g6E%2FPZ1JZJAnG8cc5akuphIoSQPwmXyeg%3D&reserved=0> > - Require CAs to > publish accepted methods for proving key compromise – Require CAs to > disclose their acceptable methods for proving key compromise in section > 4.9.12 of their CPS. > > #206 < > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F206&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=Ac8clvkhVFOBb7HKbP64chpEpTZvrK%2BmatwVllKiow0%3D&reserved=0> > - Limit re-use of > domain name verification to 395 days – Amend item 5 in MRSP 2.1 with “and > verify ownership/control of each dNSName and iPAddress in the certificate's > subjectAltName at intervals of 398 days or less;” > > #207 < > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F207&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=8w3n%2FWAiCBbvZ73hWm8Hs9Y9rAy0qWgZWYZBiuz2g9c%3D&reserved=0> > - Require audit > statements to provide information about which CA Locations were and were > not audited, and the extent to which they were (or were not) audited > > #211 < > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F211&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=YBXaWeHPV6Fov6MaIlWq0PVr%2Blh%2FZT21iiZU8GJcpxE%3D&reserved=0> > - Align OCSP > requirements in Mozilla's policy with the section 4.9.10 of the Baseline > Requirements > #218 < > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Fissues%2F218&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=W2sIZpCcW5Dv%2B5GbK7PEskjckVACsb9P96QI%2FywB5JI%3D&reserved=0> > Clarify CRL > requirements for End Entity Certificates – For CRLite, Mozilla would like > to ensure that it has full lists of revoked certificates. If the CA uses > partial CRLs, then require CAs to provide the URL location of their full > and complete CRL in the CCADB. > > Ben Wilson > Mozilla Root Program Manager > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy&data=02%7C01%7C%7C3ef02764f0b14af6998e08d86647ab2e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637371805279605092&sdata=epO6teU3MyXthk06VJho10TVgSbN7se6%2F%2FM5iHuK96E%3D&reserved=0 > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy