Greetings, This email introduces discussion of another issue selected to be addressed in the next version of the Mozilla Root Store Policy (MSRP), version 2.8, to be published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) This is Issue #227 <https://github.com/mozilla/pkipolicy/issues/227>.
The MRSP uses the terms “CP/CPS” and also “CP and CPS” and “CP or CPS”. According to RFC 3647 <https://datatracker.ietf.org/doc/html/rfc3647#section-1.1> and X.509, a certificate policy (CP) is "a named set of rules that indicates the applicability of a certificate to a particular community and/or class of applications with common security requirements." Also, according to RFC 3647, a certification practices statement (CPS) is a "more detailed description of the practices followed by a CA in issuing and otherwise managing certificates", and “also describe practices relating to all certificate lifecycle services (e.g., issuance, management, revocation, and renewal or re-keying),” and CPSes provide details concerning other business, legal, and technical matters. (Some CAs publish a combined CP-CPS.) More often, the stated requirements are found in a CP, while a CPS describes how such requirements are met. Thus, a CA’s CPS is the more likely candidate, and preference or emphasis should be placed in the MRSP on the CPS as the location for a CA’s statements of how it meets Mozilla’s requirements. Currently, MRSP section 3.3 states, “We rely on *publicly disclosed documentation* (e.g., in a Certificate Policy and Certification Practice Statement) to ascertain that our requirements are met.” MRSP section 3.3 goes on to say, “*the publicly disclosed documentation* [must] provide[] sufficient information for Mozilla to determine whether and how the CA complies with this policy, including a description of the steps taken by the CA to verify certificate requests;” (emphasis added). Here is a first draft redline to address this Issue #227: https://github.com/BenWilson-Mozilla/pkipolicy/commit/a7b53420d5ab9edd347ff16dfdf4448dc4af9ed7 In a couple places in MRSP section 3.3, I replaced "CP/CPS" with "the documentation" since we're talking about "the publicly disclosed documentation". For MRSP section 2.2, one approach would be to replace “CP/CPS” with “the CPS (or, if applicable, the CP or CP/CPS)”. Or that phrase could even be re-written to say “the CPS (or, if applicable, the CP or *combined CP-CPS*)” (the goal of this latter approach would be to replace "CP/CPS" in the MRSP). Thoughts? Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZKyrmXNcf5_cTsdKLoGC7_TRR%2Bd49i9Khf0b%2BMZ-tvFg%40mail.gmail.com.
