A comment to me on this draft raised two issues in my mind: 1 - How far back should CAs need to maintain older CPs/CPSes? Should there be a retention period for these (e.g. 7-10 years), even though the root has not yet expired?
2 - What about when ownership of the root changes? Take for example the GTE Cybertrust Root that was valid from 1998 to 2018. How should those CPSes have been maintained when the root was transferred from GTE -> Baltimore -> BeTrusted -> Cybertrust -> Verizon -> DigiCert? On Tue, Jan 18, 2022 at 4:03 PM Ben Wilson <[email protected]> wrote: > Here is another possible wording for new item 7 of MRSP 3.3 - "CAs SHALL > maintain links to older versions of their CPs and CPSes until all root CA > certificate hierarchies operated in accordance with such CP or CPS are no > longer trusted in the Mozilla root program." > Are there other suggested wordings that are better? > > On Sun, Jan 9, 2022 at 8:35 AM passerby184 <[email protected]> wrote: > >> "any related CA certificate hierarchy" sound too vague. guess this means >> upstream of trust chain of that CA? one could argue that as parent of that >> certificate is related even after sign is expired, so CA have to publish >> those CA's police until it's root expired, (like late 2030s for most root >> CAs in NSS currently) >> >> 2022년 1월 8일 토요일 오전 5시 7분 36초 UTC+9에 [email protected]님이 작성: >> >>> All, >>> >>> This email introduces discussion of another issue to be resolved by the >>> next version of the Mozilla Root Store Policy (MSRP), version 2.8. (See >>> https://github.com/mozilla/pkipolicy/labels/2.8) >>> >>> This is tracked by Github Issue #185 >>> <https://github.com/mozilla/pkipolicy/issues/185>. >>> >>> I have prepared draft language stating, "CAs SHALL maintain links to >>> older versions of their CPs and CPSes for as long as any related CA >>> certificate hierarchy is in the Mozilla root program." See >>> https://github.com/BenWilson-Mozilla/pkipolicy/commit/3b217f923582f7cfd8d3915699602631bd12242e >>> >>> Please review and comment on the clarity of this proposed language. >>> >>> Thanks, >>> >>> Ben Wilson >>> Mozilla Root Store Program >>> >>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabu518fQrSSeM5SShy%2B%3D%2BYfiMAHhmbQyhJ3xkEPxpisSA%40mail.gmail.com.
