Hello Ben and all,
We have put some thought into the practicality of this new requirement and how it will function considering the existing definition of High Risk Certificate Request. This led us to multiple questions for the functionality of this requirement. If CA’s are allowed to identify their own High Risk requests using internally derived risk-mitigation criteria what distinguishes this behavior from non-discriminatory behavior? For example, If we have our own CA name in the High Risk category to prevent potential copy write issues, does that constitute us being discriminatory? Is it deemed acceptable for the CA to reject this type of request because they consider it High-Risk or a violation of their Terms? Furthermore, what happens when a certificate is questioned to be discriminatory? Is there an expectation for a CA to publicly provide private information that the customer used to attempt to obtain the certificate in order to justify its decision? We hope to engage in some conversation around this issue so we all have a clear path forward prior to this requirement being instituted. Thank you, Joanna Fox TrustCor Systems On Tuesday, October 19, 2021 at 1:54:32 PM UTC-7 [email protected] wrote: > As an initial edit, I am proposing that we add the following language as a > new subsection 6 to MRSP section 2.1 - "[CAs SHALL] provide services on a > non-discriminatory basis to all applicants who meet the requirements and > agree to abide by their obligations as specified in the CA's terms and > conditions". See > https://github.com/BenWilson-Mozilla/pkipolicy/commit/fab61408608feed365a9446ac47560a34c06cf85 > > > > On Thu, Oct 7, 2021 at 6:06 PM Ben Wilson <[email protected]> wrote: > >> All, >> >> This email is the first in a series of discussions concerning the next >> version of the Mozilla Root Store Policy (MSRP), version 2.8, to be >> published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) >> >> Issue #129 <https://github.com/mozilla/pkipolicy/issues/129> in GitHub >> proposes that we add a policy of non-discrimination to the MRSP. >> >> This particular issue arose from discussions of whether CAs should be >> allowed to arbitrarily refuse to issue or to revoke certificates. (The >> situation involved an EV certificate for Stripe, Inc., of Kentucky, >> https://groups.google.com/g/mozilla.dev.security.policy/c/NjMmyA6MxN0/m/asxTGD3dCAAJ). >> >> Many of you argued that CAs should objectively and non-arbitrarily apply >> the issuance and revocation standards of the CA/Browser Forum. The full >> discussion can be read in the email thread referenced above, so I'll forego >> any attempt to recap. >> >> Potential policy language can be paraphrased from the suggestion made in >> Issue #129, which was to base language on ETSI 319 401--"Practices under >> which the CA operates SHALL be non-discriminatory. The CA SHALL make its >> services accessible to all applicants who meet the requirements and agree >> to abide by their obligations as specified in the CA's terms and >> conditions." Alternative wording might be something like, "Decisions not >> to issue or to revoke a certificate should be based on the unbiased >> application of the CA/Browser Forum's requirements using the objective >> criteria stated therein," OR "CAs shall apply the CA/Browser Forum’s >> issuance and revocation requirements in a non-arbitrary manner." >> Is a variation of the language above sufficient? What do you suggest as >> language? Should it be inserted somewhere in section 2 >> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#2-certificate-authorities> >> >> of the MRSP? >> >> Thoughts? >> >> Thanks, >> >> Ben >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c9e3fe1c-e2cc-4892-be63-0f962535bb14n%40mozilla.org.
