Maybe I didn't express myself properly, but what I said implies that the CA must publish the whole history of CP/CPS versions for any active CA or leaf certificate.
El viernes, 25 de marzo de 2022 a las 18:41:03 UTC+1, [email protected] escribió: > I think we need a retention period longer than 1 year. Can we make it > apply without reference to current certificate lifetimes? What if the > requirement were something like: "CA operators SHALL maintain links to > older versions of each CP and CPS for at least seven (7) years, regardless > of whether there is a sale, transfer, or acquisition of the CA." ? > > > On Fri, Mar 25, 2022 at 5:44 AM Pedro Fuentes <[email protected]> wrote: > >> Maybe it would be reasonable to request to keep visibility on any CP/CPS >> that applies to any active certificate (Root/Intermediate/Leaf) or to >> certificates expired within one year prior to the date. This would ensure >> that the last audit period always can consider any relevant CP/CPS >> >> El jueves, 24 de marzo de 2022 a las 23:45:55 UTC+1, [email protected] >> escribió: >> >>> A comment to me on this draft raised two issues in my mind: >>> >>> 1 - How far back should CAs need to maintain older CPs/CPSes? Should >>> there be a retention period for these (e.g. 7-10 years), even though the >>> root has not yet expired? >>> >>> 2 - What about when ownership of the root changes? Take for example the >>> GTE Cybertrust Root that was valid from 1998 to 2018. How should those >>> CPSes have been maintained when the root was transferred from GTE -> >>> Baltimore -> BeTrusted -> Cybertrust -> Verizon -> DigiCert? >>> >>> On Tue, Jan 18, 2022 at 4:03 PM Ben Wilson <[email protected]> wrote: >>> >>>> Here is another possible wording for new item 7 of MRSP 3.3 - "CAs >>>> SHALL maintain links to older versions of their CPs and CPSes until all >>>> root CA certificate hierarchies operated in accordance with such CP or CPS >>>> are no longer trusted in the Mozilla root program." >>>> Are there other suggested wordings that are better? >>>> >>>> On Sun, Jan 9, 2022 at 8:35 AM passerby184 <[email protected]> wrote: >>>> >>>>> "any related CA certificate hierarchy" sound too vague. guess this >>>>> means upstream of trust chain of that CA? one could argue that as parent >>>>> of >>>>> that certificate is related even after sign is expired, so CA have to >>>>> publish those CA's police until it's root expired, (like late 2030s for >>>>> most root CAs in NSS currently) >>>>> >>>>> 2022년 1월 8일 토요일 오전 5시 7분 36초 UTC+9에 [email protected]님이 작성: >>>>> >>>>>> All, >>>>>> >>>>>> This email introduces discussion of another issue to be resolved by >>>>>> the next version of the Mozilla Root Store Policy (MSRP), version 2.8. >>>>>> (See >>>>>> https://github.com/mozilla/pkipolicy/labels/2.8) >>>>>> >>>>>> This is tracked by Github Issue #185 >>>>>> <https://github.com/mozilla/pkipolicy/issues/185>. >>>>>> >>>>>> I have prepared draft language stating, "CAs SHALL maintain links to >>>>>> older versions of their CPs and CPSes for as long as any related CA >>>>>> certificate hierarchy is in the Mozilla root program." See >>>>>> https://github.com/BenWilson-Mozilla/pkipolicy/commit/3b217f923582f7cfd8d3915699602631bd12242e >>>>>> >>>>>> Please review and comment on the clarity of this proposed language. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ben Wilson >>>>>> Mozilla Root Store Program >>>>>> >>>>>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/8b1400c1-179b-4caa-bf9c-59e194f5faa7n%40mozilla.org.
