I think we need a retention period longer than 1 year. Can we make it apply without reference to current certificate lifetimes? What if the requirement were something like: "CA operators SHALL maintain links to older versions of each CP and CPS for at least seven (7) years, regardless of whether there is a sale, transfer, or acquisition of the CA." ?
On Fri, Mar 25, 2022 at 5:44 AM Pedro Fuentes <[email protected]> wrote: > Maybe it would be reasonable to request to keep visibility on any CP/CPS > that applies to any active certificate (Root/Intermediate/Leaf) or to > certificates expired within one year prior to the date. This would ensure > that the last audit period always can consider any relevant CP/CPS > > El jueves, 24 de marzo de 2022 a las 23:45:55 UTC+1, [email protected] > escribió: > >> A comment to me on this draft raised two issues in my mind: >> >> 1 - How far back should CAs need to maintain older CPs/CPSes? Should >> there be a retention period for these (e.g. 7-10 years), even though the >> root has not yet expired? >> >> 2 - What about when ownership of the root changes? Take for example the >> GTE Cybertrust Root that was valid from 1998 to 2018. How should those >> CPSes have been maintained when the root was transferred from GTE -> >> Baltimore -> BeTrusted -> Cybertrust -> Verizon -> DigiCert? >> >> On Tue, Jan 18, 2022 at 4:03 PM Ben Wilson <[email protected]> wrote: >> >>> Here is another possible wording for new item 7 of MRSP 3.3 - "CAs >>> SHALL maintain links to older versions of their CPs and CPSes until all >>> root CA certificate hierarchies operated in accordance with such CP or CPS >>> are no longer trusted in the Mozilla root program." >>> Are there other suggested wordings that are better? >>> >>> On Sun, Jan 9, 2022 at 8:35 AM passerby184 <[email protected]> wrote: >>> >>>> "any related CA certificate hierarchy" sound too vague. guess this >>>> means upstream of trust chain of that CA? one could argue that as parent of >>>> that certificate is related even after sign is expired, so CA have to >>>> publish those CA's police until it's root expired, (like late 2030s for >>>> most root CAs in NSS currently) >>>> >>>> 2022년 1월 8일 토요일 오전 5시 7분 36초 UTC+9에 [email protected]님이 작성: >>>> >>>>> All, >>>>> >>>>> This email introduces discussion of another issue to be resolved by >>>>> the next version of the Mozilla Root Store Policy (MSRP), version 2.8. >>>>> (See >>>>> https://github.com/mozilla/pkipolicy/labels/2.8) >>>>> >>>>> This is tracked by Github Issue #185 >>>>> <https://github.com/mozilla/pkipolicy/issues/185>. >>>>> >>>>> I have prepared draft language stating, "CAs SHALL maintain links to >>>>> older versions of their CPs and CPSes for as long as any related CA >>>>> certificate hierarchy is in the Mozilla root program." See >>>>> https://github.com/BenWilson-Mozilla/pkipolicy/commit/3b217f923582f7cfd8d3915699602631bd12242e >>>>> >>>>> Please review and comment on the clarity of this proposed language. >>>>> >>>>> Thanks, >>>>> >>>>> Ben Wilson >>>>> Mozilla Root Store Program >>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZRMjYzP7peUtRfK-0P9OhxA4wYDB5OzfbsZ5kgOxy6wg%40mail.gmail.com.
