All, Here is another version of the proposed change to more clearly address Issue #195 <https://github.com/mozilla/pkipolicy/issues/195> (require public discussion when an organization receives a new subCA). https://github.com/BenWilson-Mozilla/pkipolicy/commit/635b59a381e1b0087cc2fc0804e80173a766e9e6
Even though version 2.8 of Mozilla Root Store Policy has not yet been adopted, CA operators accepted in the Mozilla program should already be aware of this existing wiki page concerning the creation of unconstrained intermediate CAs: https://wiki.mozilla.org/CA/External_Sub_CAs_not_Technically_Constrained. Therefore, I do not believe we need to specify a later effective date for this change. If there are problems or concerns with this approach, then please let me know. These recent proposed changes are to help ensure that we have adequate bandwidth to handle the public discussions that we expect to have for the issuance of new CA certificates. However, despite this new language, we may still review the intermediate CA certificates of third party CA operators with existing non-technically constrained intermediate CAs who haven't undergone a public discussion and later decide to have public discussions concerning such CA operators. Thanks, Ben On Fri, Jan 21, 2022 at 7:57 PM Ben Wilson <[email protected]> wrote: > All, > > This email introduces public discussion regarding additions/clarifications > to be included in the next version of the Mozilla Root Store Policy (MSRP), > version 2.8, to be published this year. (See > https://github.com/mozilla/pkipolicy/labels/2.8) > > <https://github.com/mozilla/pkipolicy/issues/195> > <https://github.com/mozilla/pkipolicy/issues/195> > Github Issue #195 <https://github.com/mozilla/pkipolicy/issues/195> > proposes that we clarify that public discussion is required when a new CA > operator (not previously part of the Mozilla Program) obtains a sub CA that > is not technically constrained. > > Here is some draft language for discussion. It would add to MRSP Section > 7.1, after "We will make such decisions through a public process.", the > following: > > This public-review-and-discussion process SHALL also occur for any CA > operator obtaining an unconstrained CA certificate that has not previously > undergone such process, regardless of when the unconstrained CA certificate > was obtained. This includes CA operators with intermediate CAs that are > currently trusted by Mozilla even though they do not have root CAs trusted > by Mozilla (i.e. there is no "bootstrapping" or "grandfathering" for CA > operators who have not previously undergone a public-review-and-discussion > process by Mozilla). > > > https://github.com/BenWilson-Mozilla/pkipolicy/commit/8f534855555a00b9289f9f6b05158647b74ad3ab > > We welcome your comments and suggestions. > > Thanks, > > Ben Wilson > Mozilla Root Program > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabRkD-OFXPgMs%3D%2BzjzakKhTcZjs9ftT%3DpOg891%2BWm-ZSw%40mail.gmail.com.
