The current language of MRSP section 7.1 says, "Before being included, CAs MUST provide evidence that their CA certificates have continually, from the time of creation, complied with the then-current Mozilla Root Store Policy and Baseline Requirements." If an older root were to be submitted for inclusion that does not meet current requirements, there might be an argument that the certificate met the "then-current" requirements even though it does not meet the current requirements. The purpose of this proposed revision to section 7.1 of the MRSP is to close this potential loophole.
The proposed language would amend the 4th paragraph of section 7.1 to read, "Before being included, CAs MUST provide evidence that their CA certificates *fully comply with the current Mozilla Root Store Requirements and Baseline Requirements, and* have continually, from the time of *CA private key* creation, complied with the then-current Mozilla Root Store Policy and Baseline Requirements. This email begins public discussion of this proposal for inclusion in version 2.7.1 of the MRSP. Thanks, Ben _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy