All, As a follow-up to the previous post in this thread, I'm looking to streamline the public review process by addressing replacement CA certificates.
Currently, a key phrase in the wiki page ( https://wiki.mozilla.org/CA/External_Sub_CAs_not_Technically_Constrained) is "The process outlined herein applies to root CA operators intending to sign a new subCA certificate that will grant the subCA operator the ability to issue certificates that they were not previously capable of issuing." I intend to clarify this in both the MRSP v.2.8 and the wiki page with language that allows replacement of existing CA certificates without requiring the public discussion process. For discussion purposes, let's assume that in 2020, the Root CA operator issued an unconstrained four-year CA certificate to an externally operated CA operator that has not previously been through a public discussion process. Now suppose that the same Root CA operator is about to issue a new, nearly-identical CA certificate to the same third-party CA operator. Under this new proposal, that issuance would be allowed without requiring public discussion. (Public discussion would occur later when a different CA-certificate-issuance situation presented itself with respect to that CA operator.) Under this proposal, the change to section 7.1 of MRSP v.2.8 would read: A public-review-and-discussion process, defined in [Process for Review and Approval of Externally Operated Subordinate CAs <https://wiki.mozilla.org/CA/External_Sub_CAs_not_Technically_Constrained>], SHALL occur whenever a CA operator has not previously undergone such process for the type of certificate to be issued and the CA operator will obtain a new unconstrained CA certificate with new issuance capabilities. For clarity, CA operators with intermediate CAs that are currently trusted because of having been signed by root CAs trusted by Mozilla are subject to this requirement. However, this process is not required when: · the CA operator has already undergone the public-review-and-discussion process for the type of certificate to be issued; · new certificate-issuance capabilities are not being introduced; · both CA operators are already in the Mozilla root program for the type of certificate to be issued; or · the new CA certificate will be issued with the same issuance capabilities by the same root CA to replace a CA certificate that was issued prior to [date]. Also, the following part of the wiki page, https://wiki.mozilla.org/CA/External_Sub_CAs_not_Technically_Constrained, would be modified so that it is identical to proposed MRSP change: The process outlined herein is not required when: · the CA operator has already undergone the public-review-and-discussion process for the type of certificate to be issued; · new certificate-issuance capabilities are not being introduced; · both CA operators are already in the Mozilla root program for the type of certificate to be issued; or · the new CA certificate will be issued with the same issuance capabilities by the same root CA to replace a CA certificate that was issued prior to [date]. Thoughts? Thanks, Ben On Fri, Feb 11, 2022 at 4:13 PM Ben Wilson <[email protected]> wrote: > All, > > Here is another version of the proposed change to more clearly address Issue > #195 <https://github.com/mozilla/pkipolicy/issues/195> (require public > discussion when an organization receives a new subCA). > https://github.com/BenWilson-Mozilla/pkipolicy/commit/635b59a381e1b0087cc2fc0804e80173a766e9e6 > > Even though version 2.8 of Mozilla Root Store Policy has not yet been > adopted, CA operators accepted in the Mozilla program should already be > aware of this existing wiki page concerning the creation of unconstrained > intermediate CAs: > https://wiki.mozilla.org/CA/External_Sub_CAs_not_Technically_Constrained. > Therefore, I do not believe we need to specify a later effective date for > this change. If there are problems or concerns with this approach, then > please let me know. > > These recent proposed changes are to help ensure that we have adequate > bandwidth to handle the public discussions that we expect to have for the > issuance of new CA certificates. However, despite this new language, we may > still review the intermediate CA certificates of third party CA operators > with existing non-technically constrained intermediate CAs who haven't > undergone a public discussion and later decide to have public discussions > concerning such CA operators. > > Thanks, > > Ben > > > > On Fri, Jan 21, 2022 at 7:57 PM Ben Wilson <[email protected]> wrote: > >> All, >> >> This email introduces public discussion regarding >> additions/clarifications to be included in the next version of the Mozilla >> Root Store Policy (MSRP), version 2.8, to be published this year. (See >> https://github.com/mozilla/pkipolicy/labels/2.8) >> >> <https://github.com/mozilla/pkipolicy/issues/195> >> <https://github.com/mozilla/pkipolicy/issues/195> >> Github Issue #195 <https://github.com/mozilla/pkipolicy/issues/195> >> proposes that we clarify that public discussion is required when a new CA >> operator (not previously part of the Mozilla Program) obtains a sub CA that >> is not technically constrained. >> >> Here is some draft language for discussion. It would add to MRSP Section >> 7.1, after "We will make such decisions through a public process.", the >> following: >> >> This public-review-and-discussion process SHALL also occur for any CA >> operator obtaining an unconstrained CA certificate that has not previously >> undergone such process, regardless of when the unconstrained CA certificate >> was obtained. This includes CA operators with intermediate CAs that are >> currently trusted by Mozilla even though they do not have root CAs trusted >> by Mozilla (i.e. there is no "bootstrapping" or "grandfathering" for CA >> operators who have not previously undergone a public-review-and-discussion >> process by Mozilla). >> >> >> https://github.com/BenWilson-Mozilla/pkipolicy/commit/8f534855555a00b9289f9f6b05158647b74ad3ab >> >> We welcome your comments and suggestions. >> >> Thanks, >> >> Ben Wilson >> Mozilla Root Program >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab_c11t07_ip9cWpyyfSemX8JeY_Ybk97iHZZgqkBjPhA%40mail.gmail.com.
