Maybe it would be reasonable to request to keep visibility on any CP/CPS that applies to any active certificate (Root/Intermediate/Leaf) or to certificates expired within one year prior to the date. This would ensure that the last audit period always can consider any relevant CP/CPS
El jueves, 24 de marzo de 2022 a las 23:45:55 UTC+1, [email protected] escribió: > A comment to me on this draft raised two issues in my mind: > > 1 - How far back should CAs need to maintain older CPs/CPSes? Should > there be a retention period for these (e.g. 7-10 years), even though the > root has not yet expired? > > 2 - What about when ownership of the root changes? Take for example the > GTE Cybertrust Root that was valid from 1998 to 2018. How should those > CPSes have been maintained when the root was transferred from GTE -> > Baltimore -> BeTrusted -> Cybertrust -> Verizon -> DigiCert? > > On Tue, Jan 18, 2022 at 4:03 PM Ben Wilson <[email protected]> wrote: > >> Here is another possible wording for new item 7 of MRSP 3.3 - "CAs SHALL >> maintain links to older versions of their CPs and CPSes until all root CA >> certificate hierarchies operated in accordance with such CP or CPS are no >> longer trusted in the Mozilla root program." >> Are there other suggested wordings that are better? >> >> On Sun, Jan 9, 2022 at 8:35 AM passerby184 <[email protected]> wrote: >> >>> "any related CA certificate hierarchy" sound too vague. guess this means >>> upstream of trust chain of that CA? one could argue that as parent of that >>> certificate is related even after sign is expired, so CA have to publish >>> those CA's police until it's root expired, (like late 2030s for most root >>> CAs in NSS currently) >>> >>> 2022년 1월 8일 토요일 오전 5시 7분 36초 UTC+9에 [email protected]님이 작성: >>> >>>> All, >>>> >>>> This email introduces discussion of another issue to be resolved by the >>>> next version of the Mozilla Root Store Policy (MSRP), version 2.8. (See >>>> https://github.com/mozilla/pkipolicy/labels/2.8) >>>> >>>> This is tracked by Github Issue #185 >>>> <https://github.com/mozilla/pkipolicy/issues/185>. >>>> >>>> I have prepared draft language stating, "CAs SHALL maintain links to >>>> older versions of their CPs and CPSes for as long as any related CA >>>> certificate hierarchy is in the Mozilla root program." See >>>> https://github.com/BenWilson-Mozilla/pkipolicy/commit/3b217f923582f7cfd8d3915699602631bd12242e >>>> >>>> Please review and comment on the clarity of this proposed language. >>>> >>>> Thanks, >>>> >>>> Ben Wilson >>>> Mozilla Root Store Program >>>> >>>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0b600e00-a0ac-405b-a95b-66edf832b990n%40mozilla.org.
