And the full lifetime of root CA certificates. Correct? Regardless of changes in ownership.
On Sun, Mar 27, 2022, 10:55 AM Pedro Fuentes <[email protected]> wrote: > Maybe I didn't express myself properly, but what I said implies that the > CA must publish the whole history of CP/CPS versions for any active CA or > leaf certificate. > > El viernes, 25 de marzo de 2022 a las 18:41:03 UTC+1, [email protected] > escribió: > >> I think we need a retention period longer than 1 year. Can we make it >> apply without reference to current certificate lifetimes? What if the >> requirement were something like: "CA operators SHALL maintain links to >> older versions of each CP and CPS for at least seven (7) years, regardless >> of whether there is a sale, transfer, or acquisition of the CA." ? >> >> >> On Fri, Mar 25, 2022 at 5:44 AM Pedro Fuentes <[email protected]> wrote: >> >>> Maybe it would be reasonable to request to keep visibility on any CP/CPS >>> that applies to any active certificate (Root/Intermediate/Leaf) or to >>> certificates expired within one year prior to the date. This would ensure >>> that the last audit period always can consider any relevant CP/CPS >>> >>> El jueves, 24 de marzo de 2022 a las 23:45:55 UTC+1, [email protected] >>> escribió: >>> >>>> A comment to me on this draft raised two issues in my mind: >>>> >>>> 1 - How far back should CAs need to maintain older CPs/CPSes? Should >>>> there be a retention period for these (e.g. 7-10 years), even though the >>>> root has not yet expired? >>>> >>>> 2 - What about when ownership of the root changes? Take for example the >>>> GTE Cybertrust Root that was valid from 1998 to 2018. How should those >>>> CPSes have been maintained when the root was transferred from GTE -> >>>> Baltimore -> BeTrusted -> Cybertrust -> Verizon -> DigiCert? >>>> >>>> On Tue, Jan 18, 2022 at 4:03 PM Ben Wilson <[email protected]> wrote: >>>> >>>>> Here is another possible wording for new item 7 of MRSP 3.3 - "CAs >>>>> SHALL maintain links to older versions of their CPs and CPSes until all >>>>> root CA certificate hierarchies operated in accordance with such CP or CPS >>>>> are no longer trusted in the Mozilla root program." >>>>> Are there other suggested wordings that are better? >>>>> >>>>> On Sun, Jan 9, 2022 at 8:35 AM passerby184 <[email protected]> wrote: >>>>> >>>>>> "any related CA certificate hierarchy" sound too vague. guess this >>>>>> means upstream of trust chain of that CA? one could argue that as parent >>>>>> of >>>>>> that certificate is related even after sign is expired, so CA have to >>>>>> publish those CA's police until it's root expired, (like late 2030s for >>>>>> most root CAs in NSS currently) >>>>>> >>>>>> 2022년 1월 8일 토요일 오전 5시 7분 36초 UTC+9에 [email protected]님이 작성: >>>>>> >>>>>>> All, >>>>>>> >>>>>>> This email introduces discussion of another issue to be resolved by >>>>>>> the next version of the Mozilla Root Store Policy (MSRP), version 2.8. >>>>>>> (See >>>>>>> https://github.com/mozilla/pkipolicy/labels/2.8) >>>>>>> >>>>>>> This is tracked by Github Issue #185 >>>>>>> <https://github.com/mozilla/pkipolicy/issues/185>. >>>>>>> >>>>>>> I have prepared draft language stating, "CAs SHALL maintain links to >>>>>>> older versions of their CPs and CPSes for as long as any related CA >>>>>>> certificate hierarchy is in the Mozilla root program." See >>>>>>> https://github.com/BenWilson-Mozilla/pkipolicy/commit/3b217f923582f7cfd8d3915699602631bd12242e >>>>>>> >>>>>>> Please review and comment on the clarity of this proposed language. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Ben Wilson >>>>>>> Mozilla Root Store Program >>>>>>> >>>>>>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ7C1SEvQJCYK1Hx06uMZbj2FXfaNKE55naqCCTVTeBcQ%40mail.gmail.com.
