All, Here are a couple of changes that were made today based on comments received:
MRSP 5.4 (Precertificates) - https://github.com/BenWilson-Mozilla/pkipolicy/commit/64b78a8b25855d0b7077e0b95707f3563b6c510a MRSP 6.1.1 (CRLRevocation Reasons) - https://github.com/BenWilson-Mozilla/pkipolicy/commit/781a6c12c2f4770481af4f9070c0cec0acdf9342 I also decided to not make any changes to the "superseded" language in section 6.1.1. Thanks, Ben On Wed, Apr 20, 2022 at 2:13 PM Ben Wilson <[email protected]> wrote: > Yes - Mozilla allows for the inclusion of non-self-signed certificates as > trust anchors. > Ben > > On Wed, Apr 20, 2022 at 1:42 PM Corey Bonnell <[email protected]> > wrote: > >> Hi Ben, >> >> Does Mozilla allow for the inclusion of non-self-signed certificates as >> trust anchors? From a BR standpoint, the Root Certificate is self-signed >> (“Root Certificate” is defined as “The self-signed Certificate issued by >> the Root CA to identify itself and to facilitate verification of >> Certificates issued to its Subordinate CAs.”). If I recall correctly, there >> were historical exceptions to this, but I don’t believe there have been any >> recently. >> >> >> >> If Mozilla does not allow for the inclusion of non-self-signed >> certificates as trust anchors, then I think the entire section can be >> deleted as the “intermediate” CA (relative to another PKI hierarchy, >> presumably “private”) can certify itself and have the self-signed >> certificate included in Mozilla. >> >> >> >> Thanks, >> >> Corey >> >> >> >> *From:* Ben Wilson <[email protected]> >> *Sent:* Wednesday, April 20, 2022 2:00 PM >> *To:* Corey Bonnell <[email protected]> >> *Cc:* [email protected] <[email protected]> >> *Subject:* Re: Policy 2.8: Final Review of MRSP v. 2.8 >> >> >> >> Thanks, Corey. >> >> >> >> I'm wondering whether we should salvage anything in that section? We >> could rename it "Other PKI Hierarchies", delete the second paragraph and >> other wording that refers to "non-disclosable", etc., and make other tweaks >> to keep the section and the discussion of submitting an intermediate CA >> certificate as a trust anchor. Thoughts anyone? >> >> >> >> Thanks again, >> >> >> >> Ben >> >> >> >> On Wed, Apr 20, 2022 at 11:12 AM Corey Bonnell < >> [email protected]> wrote: >> >> Hi Ben, >> >> I believe the “Non-disclosable Intermediate Certificates” section of the >> “CA/Subordinate CA Checklist” Wiki page [1] should be deleted given that >> Mozilla is now requiring the disclosure of all TCSA certificates, >> regardless of technical constraints. >> >> >> >> Thanks, >> >> Corey >> >> >> >> [1] >> https://wiki.mozilla.org/CA/Subordinate_CA_Checklist#Non-disclosable_Intermediate_Certificates >> >> >> >> *From:* [email protected] <[email protected]> >> *On Behalf Of *Ben Wilson >> *Sent:* Wednesday, April 13, 2022 1:18 PM >> *To:* [email protected] <[email protected]> >> *Subject:* Policy 2.8: Final Review of MRSP v. 2.8 >> >> >> >> All, >> >> >> >> Here are links helpful during your final review of version 2.8 of the >> Mozilla Root Store Policy (MRSP) : >> >> >> >> >> https://github.com/BenWilson-Mozilla/pkipolicy/blob/2.8/rootstore/policy.md >> >> >> https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.8 >> (redlined) >> >> >> >> Please review the changes and provide any additional comments by the end >> of Tuesday, April 19, 2022. >> >> >> >> My plan is to move this version over to the Mozilla pkipolicy repository >> on Github <https://github.com/mozilla/pkipolicy/tree/master/rootstore>, >> and then I'll request that it be published on Mozilla's website >> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/> >> to replace version 2.7.1. >> >> >> >> Thanks, >> >> >> >> Ben >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatXusfEkFkiuGkCr5%2BtJAWv9pFdPxiXxP1LQaHqq%3Dqig%40mail.gmail.com.
