On Fri, Mar 25, 2022 at 4:32 PM Ben Wilson <[email protected]> wrote:
> 1- Should item 2. be amended to read: "the publicly disclosed documentation > MUST be available from the CA operator’s official website *or saved as an > attachment in Bugzilla*" ? (Often, CA operators will upload > documentation to Bugzilla.) > They do, but it's just as relevant to the relying public that they should be able to get it directly from the CA, right? The Bugzilla is just a means to a particular technical end, while the disclosure on the CA operator's website is the public transparency and accountability. > 2 - Should item 3. be amended to read "the *publicly disclosed *documentation > MUST be made available to Mozilla under one of the following Creative > Commons licenses (or later versions): ..."? In other words, is the scope > of "documentation" too broad? Should this be changed back to something more > narrow like, "CPs, CPSes, and combined CP/CPSes MUST be made available > ....") > No? The broad scope was intended (related to ensuring that Mozilla could make available - including via Bugzilla and/or CCADB - documents relevant to the trustworthiness of the CA. > 3 - Should item 4. be amended to read "*the CP and CPS, or the combined > CP/CPS,* MUST be reviewed and updated as necessary at least once every > year, as required by the Baseline Requirements." ? The currently proposed > "documentation" might be too broad because the Baseline Requirements uses > the phrase "annually update a Certificate Policy and/or Certification > Practice Statement". (Here, implementing the conjunctions "and" and "or" > get messy.) Currently, the MRSP v. 2.7.1 uses the phrase "CPs and CPSes > MUST be reviewed and updated...". > Maybe "All CPs, CPSes, and combined CP/CPSes, MUST be reviewed"... basically, trying to avoid the and/or combination (that often trips folks ups) by ensuring it's a cohesive list I'm a bit more on the fence of naming explicitly the CPS, since the CP is just as relevant for ascertaining policy being met. For example, it's the policy that would detail validation requirements or certificate profiles, and while the practice statement describes how they ensure those requirements are met, the policy is just as much a relevant part. In a world of distinct CPs and CPSes, both would still need to be assessed for compliance and adherence. I realize you're far more versed in this from the ABA PAG days, but the argument for CPS would seem more relevant if Mozilla was dictating the CP, and the CPS was the CA's demonstration of how they fulfill that (i.e. the originally anticipated CP/CPS model), but that's not quite how things work today, so it seems easier to be flexible about. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHGJpHvDLQ1mMEtS2abBpdK%2BufFf%2BWFi-PkmiCLPcBpw9Q%40mail.gmail.com.
