As an initial edit, I am proposing that we add the following language as a new subsection 6 to MRSP section 2.1 - "[CAs SHALL] provide services on a non-discriminatory basis to all applicants who meet the requirements and agree to abide by their obligations as specified in the CA's terms and conditions". See https://github.com/BenWilson-Mozilla/pkipolicy/commit/fab61408608feed365a9446ac47560a34c06cf85
On Thu, Oct 7, 2021 at 6:06 PM Ben Wilson <[email protected]> wrote: > All, > > This email is the first in a series of discussions concerning the next > version of the Mozilla Root Store Policy (MSRP), version 2.8, to be > published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) > > Issue #129 <https://github.com/mozilla/pkipolicy/issues/129> in GitHub > proposes that we add a policy of non-discrimination to the MRSP. > > This particular issue arose from discussions of whether CAs should be > allowed to arbitrarily refuse to issue or to revoke certificates. (The > situation involved an EV certificate for Stripe, Inc., of Kentucky, > https://groups.google.com/g/mozilla.dev.security.policy/c/NjMmyA6MxN0/m/asxTGD3dCAAJ). > Many of you argued that CAs should objectively and non-arbitrarily apply > the issuance and revocation standards of the CA/Browser Forum. The full > discussion can be read in the email thread referenced above, so I'll forego > any attempt to recap. > > Potential policy language can be paraphrased from the suggestion made in > Issue #129, which was to base language on ETSI 319 401--"Practices under > which the CA operates SHALL be non-discriminatory. The CA SHALL make its > services accessible to all applicants who meet the requirements and agree > to abide by their obligations as specified in the CA's terms and > conditions." Alternative wording might be something like, "Decisions not > to issue or to revoke a certificate should be based on the unbiased > application of the CA/Browser Forum's requirements using the objective > criteria stated therein," OR "CAs shall apply the CA/Browser Forum’s > issuance and revocation requirements in a non-arbitrary manner." > Is a variation of the language above sufficient? What do you suggest as > language? Should it be inserted somewhere in section 2 > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#2-certificate-authorities> > of the MRSP? > > Thoughts? > > Thanks, > > Ben > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabsOaZP88JXg5qP%2BGjZoAvc0n4_Y2Y%2B63KF94h2OoTDDQ%40mail.gmail.com.
