Hi Ben, To me personally it would make the most sense if these requests would be classed as high priority but not as high as replacing an already-included cert. So like P1.5/a new P2, I am not sure how much practical difference this would make and if it is not a lot, then it is probably fine to just add it to P1.
My thinking here is kinda that no real change in structure of CAs should be higher (or equal) priority than replacing an already-included CA cert. I will admit that I am not overly familiar with the details of this process and these are just my initial thoughts so take this input with a grain of salt. -Cynthia On Mon, Mar 14, 2022 at 6:17 PM Ben Wilson <[email protected]> wrote: > > All, > > I am considering tweaking the prioritization criteria for inclusion requests > to prioritize applicants who have been previously approved as externally > operated intermediate CAs (and that are then requesting direct inclusion). > > So https://wiki.mozilla.org/CA/Prioritization would be updated. For example, > > "P1 = High (Applicant has good compliance history and is replacing an > already-included CA certificate)" > could become > "P1 = High (Applicant has good compliance history and is replacing an > already-included CA certificate or is previously approved as a subordinate CA > operator)" > > "3 - Replacing Existing (Existing CA operators that are replacing an > already-included root certificate) > https://wiki.mozilla.org/CA/Certificate_Change_Process " > could become > "3 - Replacing Existing (Existing CA operators that are replacing an > already-included root certificate, > https://wiki.mozilla.org/CA/Certificate_Change_Process, or is a previously > approved subordinate CA operator who is requesting direct inclusion) " > > I was also thinking that applications that only seek enablement of the email > trust bit should be prioritized because the level of effort and due diligence > to review those roots aren't as great as with those seeking enablement of the > websites trust bit. I haven't developed language yet on how to prioritize > SMIME-only roots. For instance, I might amend "5 - Single-Purpose, Separate > Roots (Hierarchies that are separated by root for a particular purpose)" to > address SMIME-only roots specifically. > > Thoughts? > > Ben > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZJsfbiDo%3DKD90Rv_LwMOive5cFiMZC7%3DHVcaigkVTdqw%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKw1M3NsGsCPeN6N-Ndu20AvWqswcCxn8v-x4E2i%2BpwXQxba%2BA%40mail.gmail.com.
