Thanks for the comments received so far. I'd like to close discussion on this next Tuesday, 14-Dec-2021. Discussion of Issue #3 (discourage CA certificate renewal/modification and encourage new CAs for crypto agility) could be started in a new thread. We could also submit the issue on Github - see https://github.com/mozilla/pkipolicy/issues. Thanks again, Ben
On Wed, Dec 8, 2021 at 5:58 AM Ryan Dickson <[email protected]> wrote: > [Posting on behalf of Google Chrome] > > Hi Ben, > > A few thoughts for last week's discussion, sorry for the delay: > > 1. We do not feel that this discussion should delay Sectigo’s > remediation planning to align with the BRs or the inclusion of any other > approved root that previously performed the same type of certificate > modification. Unless/until this behavior is explicitly prohibited, it’s > unfair to change course now. > 2. The primary concern in Sectigo’s case is that their Web PKI CP and > CPS indicate, “*Sectigo does not offer Certificate modification. > Instead, Sectigo will revoke the old Certificate and issue a new > Certificate as a replacement.*” > 3. Long-term, to reduce the potential for interoperability issues and > promote simplicity, should we look to prohibit both CA certificate renewal > and modification and instead promote the establishment of new CAs > (encouraging crypto agility) - either through the BRs or by way of root > program requirements? If this discussion is best served in a separate > thread to avoid detracting from the immediate issue at hand, no problem. > 4. In the spirit of points above, and alongside personal views shared > by Ryan Sleevi, a root transition and subsequent CA decommissioning would > be the optimal path forward to comply with the commitments made in > Sectigo’s policies and, by extension, the BRs. > > Thanks, > Ryan > > > On Thu, Dec 2, 2021 at 4:29 PM Kathleen Wilson <[email protected]> > wrote: > >> >> replacement is separate from, and neither here nor there, for >> remediation of the issue, objectively and technically speaking >> >> Given this information, and that Bug #1735407 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1735407> is about >> replacing currently-included root certificates so it does not add risk, I >> will keep Bug #1735407 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1735407> in the December >> 2021 batch of root changes. >> >> Thanks, >> Kathleen >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/98f61dfe-6389-4fbb-b611-fe73b336addbn%40mozilla.org >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/98f61dfe-6389-4fbb-b611-fe73b336addbn%40mozilla.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaPtEsFVhXYj1pBCdT9C4A89g6K5tX8sP_56hmhr%3DMaFg%40mail.gmail.com.
