Hi Ben, if a party is relying on a 7+ year old CA would they not want to consult / know the policies and practices that were in place at the time the CAs keys were generated or during the first years of its lifetime?
Thanks - Arvid From: [email protected] <[email protected]> On Behalf Of Ben Wilson Sent: Friday, 25 March 2022 18:41 To: Pedro Fuentes <[email protected]> Cc: [email protected] Subject: Re: Policy 2.8: MRSP Issue #185: Require publication of outdated CA policy documents I think we need a retention period longer than 1 year. Can we make it apply without reference to current certificate lifetimes? What if the requirement were something like: "CA operators SHALL maintain links to older versions of each CP and CPS for at least seven (7) years, regardless of whether there is a sale, transfer, or acquisition of the CA." ? On Fri, Mar 25, 2022 at 5:44 AM Pedro Fuentes <[email protected]<mailto:[email protected]>> wrote: Maybe it would be reasonable to request to keep visibility on any CP/CPS that applies to any active certificate (Root/Intermediate/Leaf) or to certificates expired within one year prior to the date. This would ensure that the last audit period always can consider any relevant CP/CPS El jueves, 24 de marzo de 2022 a las 23:45:55 UTC+1, [email protected]<mailto:[email protected]> escribió: A comment to me on this draft raised two issues in my mind: 1 - How far back should CAs need to maintain older CPs/CPSes? Should there be a retention period for these (e.g. 7-10 years), even though the root has not yet expired? 2 - What about when ownership of the root changes? Take for example the GTE Cybertrust Root that was valid from 1998 to 2018. How should those CPSes have been maintained when the root was transferred from GTE -> Baltimore -> BeTrusted -> Cybertrust -> Verizon -> DigiCert? On Tue, Jan 18, 2022 at 4:03 PM Ben Wilson <[email protected]<mailto:[email protected]>> wrote: Here is another possible wording for new item 7 of MRSP 3.3 - "CAs SHALL maintain links to older versions of their CPs and CPSes until all root CA certificate hierarchies operated in accordance with such CP or CPS are no longer trusted in the Mozilla root program." Are there other suggested wordings that are better? On Sun, Jan 9, 2022 at 8:35 AM passerby184 <[email protected]<mailto:[email protected]>> wrote: "any related CA certificate hierarchy" sound too vague. guess this means upstream of trust chain of that CA? one could argue that as parent of that certificate is related even after sign is expired, so CA have to publish those CA's police until it's root expired, (like late 2030s for most root CAs in NSS currently) 2022년 1월 8일 토요일 오전 5시 7분 36초 UTC+9에 [email protected]님이<mailto:[email protected]님이> 작성: All, This email introduces discussion of another issue to be resolved by the next version of the Mozilla Root Store Policy (MSRP), version 2.8. (See https://github.com/mozilla/pkipolicy/labels/2.8) This is tracked by Github Issue #185<https://github.com/mozilla/pkipolicy/issues/185>. I have prepared draft language stating, "CAs SHALL maintain links to older versions of their CPs and CPSes for as long as any related CA certificate hierarchy is in the Mozilla root program." See https://github.com/BenWilson-Mozilla/pkipolicy/commit/3b217f923582f7cfd8d3915699602631bd12242e Please review and comment on the clarity of this proposed language. Thanks, Ben Wilson Mozilla Root Store Program -- You received this message because you are subscribed to the Google Groups "[email protected]<mailto:[email protected]>" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZRMjYzP7peUtRfK-0P9OhxA4wYDB5OzfbsZ5kgOxy6wg%40mail.gmail.com<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZRMjYzP7peUtRfK-0P9OhxA4wYDB5OzfbsZ5kgOxy6wg%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/KL1PR03MB586331BD12158EFA892A0267991A9%40KL1PR03MB5863.apcprd03.prod.outlook.com.
