Thanks, Joanna. These are good questions to consider. On Monday, October 25, 2021 at 2:16:03 PM UTC-6 [email protected] wrote:
> Hello Ben and all, > > We have put some thought into the practicality of this new requirement and > how it will function considering the existing definition of High Risk > Certificate Request. This led us to multiple questions for the > functionality of this requirement. > > If CA’s are allowed to identify their own High Risk requests using > internally derived risk-mitigation criteria what distinguishes this > behavior from non-discriminatory behavior? > > For example, If we have our own CA name in the High Risk category to > prevent potential copy write issues, does that constitute us being > discriminatory? > > Is it deemed acceptable for the CA to reject this type of request because > they consider it High-Risk or a violation of their Terms? > > Furthermore, what happens when a certificate is questioned to be > discriminatory? Is there an expectation for a CA to publicly provide > private information that the customer used to attempt to obtain the > certificate in order to justify its decision? > > We hope to engage in some conversation around this issue so we all have a > clear path forward prior to this requirement being instituted. > Thank you, > Joanna Fox > TrustCor Systems > On Tuesday, October 19, 2021 at 1:54:32 PM UTC-7 [email protected] wrote: > >> As an initial edit, I am proposing that we add the following language as >> a new subsection 6 to MRSP section 2.1 - "[CAs SHALL] provide services on a >> non-discriminatory basis to all applicants who meet the requirements and >> agree to abide by their obligations as specified in the CA's terms and >> conditions". See >> https://github.com/BenWilson-Mozilla/pkipolicy/commit/fab61408608feed365a9446ac47560a34c06cf85 >> >> >> >> On Thu, Oct 7, 2021 at 6:06 PM Ben Wilson <[email protected]> wrote: >> >>> All, >>> >>> This email is the first in a series of discussions concerning the next >>> version of the Mozilla Root Store Policy (MSRP), version 2.8, to be >>> published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) >>> >>> Issue #129 <https://github.com/mozilla/pkipolicy/issues/129> in GitHub >>> proposes that we add a policy of non-discrimination to the MRSP. >>> >>> This particular issue arose from discussions of whether CAs should be >>> allowed to arbitrarily refuse to issue or to revoke certificates. (The >>> situation involved an EV certificate for Stripe, Inc., of Kentucky, >>> https://groups.google.com/g/mozilla.dev.security.policy/c/NjMmyA6MxN0/m/asxTGD3dCAAJ). >>> >>> Many of you argued that CAs should objectively and non-arbitrarily apply >>> the issuance and revocation standards of the CA/Browser Forum. The full >>> discussion can be read in the email thread referenced above, so I'll forego >>> any attempt to recap. >>> >>> Potential policy language can be paraphrased from the suggestion made in >>> Issue #129, which was to base language on ETSI 319 401--"Practices under >>> which the CA operates SHALL be non-discriminatory. The CA SHALL make its >>> services accessible to all applicants who meet the requirements and agree >>> to abide by their obligations as specified in the CA's terms and >>> conditions." Alternative wording might be something like, "Decisions >>> not to issue or to revoke a certificate should be based on the unbiased >>> application of the CA/Browser Forum's requirements using the objective >>> criteria stated therein," OR "CAs shall apply the CA/Browser Forum’s >>> issuance and revocation requirements in a non-arbitrary manner." >>> Is a variation of the language above sufficient? What do you suggest as >>> language? Should it be inserted somewhere in section 2 >>> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#2-certificate-authorities> >>> >>> of the MRSP? >>> >>> Thoughts? >>> >>> Thanks, >>> >>> Ben >>> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/8346ed63-dca8-4777-9f73-df7e4d4ce008n%40mozilla.org.
