All, I've made recent changes here: https://github.com/BenWilson-Mozilla/pkipolicy/commit/02285dbb0115c3e61941940dd75e26aa85404406 <https://github.com/BenWilson-Mozilla/pkipolicy/commit/02285dbb0115c3e61941940dd75e26aa85404406> (to MRSP 5.4, per Andrew's comments) and here: https://github.com/BenWilson-Mozilla/pkipolicy/commit/6ef59e784020da21954ddb15488fa865917e1152 (to MRSP 6.1.1, per Rob Stradling's comments here: https://github.com/BenWilson-Mozilla/pkipolicy/commit/060b169294da548a8de30ec65397aadab56f12fb ) Ben
On Thu, Apr 14, 2022 at 1:41 PM Andrew Ayer <[email protected]> wrote: > It would, thanks! > > Regards, > Andrew > > On Thu, 14 Apr 2022 13:28:13 -0600 > Ben Wilson <[email protected]> wrote: > > > Thanks, Andrew > > > > Would this address your comments? > > > > 5.4 Precertificates > > > > Certificate Transparency precertificates are considered by Mozilla to > > be a binding intent to issue a certificate, as described in section > > 3.1 of RFC 6962, and thus in-scope for enforcing compliance with > > these requirements. Thus, > > > > · if a final certificate cannot be verified as matching a > > precertificate using the algorithms in RFC 6962, then two distinct > > final certificates are presumed to exist, and it is misissuance if > > the two final certificates have the same serial number and issuer, > > even if only one final certificate actually exists; > > > > · if a precertificate implies the existence of a final > > certificate that does not comply with this policy, it is considered > > misissuance of the final certificate, even if the certificate does > > not actually exist; > > > > · a CA must be able to revoke a certificate presumed to exist, > > if revocation of the certificate is required under this policy, even > > if the final certificate does not actually exist; and > > > > · a CA must provide CRL and OCSP services and responses in > > accordance with this policy for all certificates presumed to exist > > based on the presence of a precertificate, even if the certificate > > does not actually exist. > > > > On Thu, Apr 14, 2022 at 12:01 PM Andrew Ayer <[email protected]> > > wrote: > > > > > Hi Ben, > > > > > > My comments about the precertificates section haven't been fully > > > addressed: > > > > > > > > > > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/Co65loD9i-0/m/Trt4N9QQAgAJ > > > > > > Regards, > > > Andrew > > > > > > On Wed, 13 Apr 2022 11:18:24 -0600 > > > Ben Wilson <[email protected]> wrote: > > > > > > > All, > > > > > > > > Here are links helpful during your final review of version 2.8 of > > > > the Mozilla Root Store Policy (MRSP) : > > > > > > > > > > > > https://github.com/BenWilson-Mozilla/pkipolicy/blob/2.8/rootstore/policy.md > > > > > > > > https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.8 > > > > (redlined) > > > > > > > > Please review the changes and provide any additional comments by > > > > the end of Tuesday, April 19, 2022. > > > > > > > > My plan is to move this version over to the Mozilla pkipolicy > > > > repository on Github > > > > <https://github.com/mozilla/pkipolicy/tree/master/rootstore>, and > > > > then I'll request that it be published on Mozilla's website > > > > < > > > > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ > > > > > to replace version 2.7.1. > > > > > > > > Thanks, > > > > > > > > Ben > > > > > > > > -- > > > > You received this message because you are subscribed to the Google > > > > Groups "[email protected]" group. To unsubscribe > > > > from this group and stop receiving emails from it, send an email > > > > to [email protected]. To view this > > > > discussion on the web visit > > > > > > > > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com > > > . > > > > > > > -- > > You received this message because you are subscribed to the Google > > Groups "[email protected]" group. To unsubscribe from > > this group and stop receiving emails from it, send an email to > > [email protected]. To view this discussion > > on the web visit > > > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZJ1hk9Lk%2BzpZcpAa%3DSePbuXU9XQKvD0JoFTTGFR8W%2B8Q%40mail.gmail.com > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaawA8zcH--gt7qS_E4qt2fvJ%2Bh3QBjc%3DM7R%3DQmWVouT_w%40mail.gmail.com.
