On Tue, 19 Apr 2022 16:29:29 -0700 (PDT) "'Dustin Hollenback' via [email protected]" <[email protected]> wrote:
> > Our understanding is that the information in Section 5.4 > Precertificates has been a Recommended Practice > (https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates) > > for some time. Adding this new section changes it from a Recommended > Practice to a Requirement. > > Similar to Section 6.1.1 that has a new requirement, can you set an > effective date within the section that is farther out than the 2.8 > effective date. For consistency, I'd recommend setting the same date > as another new section, 6.1.1, which is effective October 1, 2022. The first two bullet points in Section 5.4 (about misissuance) are not new requirements, but follow from from this statement in RFC6962: "The signature on the TBSCertificate indicates the certificate authority's intent to issue a certificate. This intent is considered binding (i.e., misissuance of the Precertificate is considered equal to misissuance of the final certificate)." This has been covered on this list and in incident reports ad nauseam since 2016, long before https://wiki.mozilla.org/CA/Required_or_Recommended_Practices even had a Precertificates section. All Section 5.4 does is make the existing requirements very explicit. The last two bullet points in Section 5.4 (about revocation) were originally listed on https://wiki.mozilla.org/CA/Required_or_Recommended_Practices as a Required practice, as a clarification of Mozilla's existing requirements, which some CAs had already been held accountable for violating: https://groups.google.com/g/mozilla.dev.security.policy/c/LC_y8yPDI9Q/m/S-aAK3r1BAAJ However, they were moved to the Recommended section because of a concern that they conflicted with the Baseline Requirements: https://groups.google.com/g/mozilla.dev.security.policy/c/LC_y8yPDI9Q/m/FzKrQbQJBwAJ This conflict was resolved in 2019 with the passage of SC23. Thus, CAs have long been on notice about Mozilla's expectations and intentions. Indeed, at least one CA already considers it a "clear" requirement to operate revocation services for certificates presumed to exist based on precertificates: https://bugzilla.mozilla.org/show_bug.cgi?id=1763203#c1 Any CA that wasn't already compliant in 2019 has already had over two years to resolve that. I therefore see no reason why Section 5.4 needs a later effective date. Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220419204434.7bd2c5f6dc6bfae85d8698e8%40andrewayer.name.
