The current language of MRSP section 7.1 says, "Before being included, CAs
MUST provide evidence that their CA certificates have continually, from the
time of creation, complied with the then-current Mozilla Root Store Policy
and Baseline Requirements." If an older root were to be submitted for
inclusion that does not meet current requirements, there might be an
argument that the certificate met the "then-current" requirements even
though it does not meet the current requirements. The purpose of this
proposed revision to section 7.1 of the MRSP is to close this potential
loophole.

The proposed language would amend the 4th paragraph of section 7.1 to read,
"Before being included, CAs MUST provide evidence that their CA
certificates *fully comply with the current Mozilla Root Store Requirements
and Baseline Requirements, and* have continually, from the time of *CA
private key* creation, complied with the then-current Mozilla Root Store
Policy and Baseline Requirements.

This email begins public discussion of this proposal for inclusion in
version 2.7.1 of the MRSP.

Thanks,

Ben
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to