On Fri, Mar 25, 2022 at 12:24 PM Arvid Vermote <[email protected]> wrote:
> Hi Ben, if a party is relying on a 7+ year old CA would they not want to > consult / know the policies and practices that were in place at the time > the CAs keys were generated or during the first years of its lifetime? > Yes - thanks! > > > Thanks - Arvid > > > > *From:* [email protected] <[email protected]> *On > Behalf Of *Ben Wilson > *Sent:* Friday, 25 March 2022 18:41 > *To:* Pedro Fuentes <[email protected]> > *Cc:* [email protected] > *Subject:* Re: Policy 2.8: MRSP Issue #185: Require publication of > outdated CA policy documents > > > > I think we need a retention period longer than 1 year. Can we make it > apply without reference to current certificate lifetimes? What if the > requirement were something like: "CA operators SHALL maintain links to > older versions of each CP and CPS for at least seven (7) years, regardless > of whether there is a sale, transfer, or acquisition of the CA." ? > > > > > > On Fri, Mar 25, 2022 at 5:44 AM Pedro Fuentes <[email protected]> > wrote: > > Maybe it would be reasonable to request to keep visibility on any CP/CPS > that applies to any active certificate (Root/Intermediate/Leaf) or to > certificates expired within one year prior to the date. This would ensure > that the last audit period always can consider any relevant CP/CPS > > El jueves, 24 de marzo de 2022 a las 23:45:55 UTC+1, [email protected] > escribió: > > A comment to me on this draft raised two issues in my mind: > > > > 1 - How far back should CAs need to maintain older CPs/CPSes? Should > there be a retention period for these (e.g. 7-10 years), even though the > root has not yet expired? > > > > 2 - What about when ownership of the root changes? Take for example the > GTE Cybertrust Root that was valid from 1998 to 2018. How should those > CPSes have been maintained when the root was transferred from GTE -> > Baltimore -> BeTrusted -> Cybertrust -> Verizon -> DigiCert? > > > > On Tue, Jan 18, 2022 at 4:03 PM Ben Wilson <[email protected]> wrote: > > Here is another possible wording for new item 7 of MRSP 3.3 - "CAs SHALL > maintain links to older versions of their CPs and CPSes until all root CA > certificate hierarchies operated in accordance with such CP or CPS are no > longer trusted in the Mozilla root program." > > Are there other suggested wordings that are better? > > > > On Sun, Jan 9, 2022 at 8:35 AM passerby184 <[email protected]> wrote: > > "any related CA certificate hierarchy" sound too vague. guess this means > upstream of trust chain of that CA? one could argue that as parent of that > certificate is related even after sign is expired, so CA have to publish > those CA's police until it's root expired, (like late 2030s for most root > CAs in NSS currently) > > > > 2022년 1월 8일 토요일 오전 5시 7분 36초 UTC+9에 [email protected]님이 작성: > > All, > > > > This email introduces discussion of another issue to be resolved by the > next version of the Mozilla Root Store Policy (MSRP), version 2.8. (See > https://github.com/mozilla/pkipolicy/labels/2.8) > > > > This is tracked by Github Issue #185 > <https://github.com/mozilla/pkipolicy/issues/185>. > > > > I have prepared draft language stating, "CAs SHALL maintain links to older > versions of their CPs and CPSes for as long as any related CA certificate > hierarchy is in the Mozilla root program." See > https://github.com/BenWilson-Mozilla/pkipolicy/commit/3b217f923582f7cfd8d3915699602631bd12242e > > > > Please review and comment on the clarity of this proposed language. > > > > Thanks, > > > > Ben Wilson > > Mozilla Root Store Program > > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZRMjYzP7peUtRfK-0P9OhxA4wYDB5OzfbsZ5kgOxy6wg%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZRMjYzP7peUtRfK-0P9OhxA4wYDB5OzfbsZ5kgOxy6wg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZn5Aje8sQSMQ9wohSHLzT0UpVO7%3D5DNKFzeJX3s8ueSQ%40mail.gmail.com.
