All, In a recent bug[1] we received a couple of requests for clarifications of the Mozilla Root Store Policy (MRSP), version 2.8, which require further discussion here.
The first request concerned OCSP for precertificates generated before October 1, 2022,[2] and the second highlighted how we do not require revocation reason codes for end entity certificates revoked before October 1, 2022. At least one common thread is the retroactive application of new requirements. 1. MRSP section 5.4[3] says, “Effective October 1, 2022, … a CA MUST provide CRL and OCSP services and responses in accordance with this policy for all certificates presumed to exist based on the presence of a precertificate, even if the certificate does not actually exist.” One interpretation is that the effective date showed an intent to allow CAs to start implementing this requirement for certificates and precertificates issued on or after October 1, 2022. Another interpretation is that the requirement mainly concerned the provision of CRL and OCSP services as of October 1, 2022, regardless of certificate/precertificate issuance dates.[4] 2. MRSP section 6.1.1[5] says, “This section applies to revocations that are performed after October 1, 2022. Revocation entries that appeared on a CRL prior to October 1, 2022, do NOT need to be changed as a result of this section.” In the bug mentioned above, Dimitris made a comment[6] that, according to a discussion previously on m.d.s.p.[7], the community expected that CAs would retroactively update revocation reason codes for CA certificates, which was different from section 6.1.1 in the v.2.8 policy, which did not require that for end entity TLS certificates. I believe his points were that section 6.1.1 also needed clarification and that more consistency was needed. We’d like to provide more clear guidance on the two issues mentioned above. Kathleen and I both believe that we need to balance the need to move the implementation of requirements forward with the benefits of requiring retroactive compliance. There is benefit in moving forward from an effective date, but there may also be a benefit in reaching back when requirements can be reasonably implemented. To promote clear and consistent requirements, we’d like to discuss these issues further. We look forward to your thoughtful comments. Thanks, Ben [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1793443 [2] In the referenced incident, precertificates were created before October 1, 2022, but no corresponding final certificates were created. We responded, “our effective dates for policy changes typically apply to certificates issued after the effective date” and “The requirement does not include pre-certificates issued before October 1, 2022. All pre-certificates issued on October 1, 2022, or later must satisfy the requirement.” https://bugzilla.mozilla.org/show_bug.cgi?id=1793443#c9 [3] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#54-precertificates [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1793443#c6 [5] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#611-end-entity-tls-certificate-crlrevocation-reasons [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1793443#c17 [7] https://groups.google.com/g/mozilla.dev.security.policy/c/7z6dqwdc16o/m/RKj7RXitCgAJ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab_XKqMqxrkvY3DSYm5LXRFfF0X4xgA6Om4r1Vrm6FjDw%40mail.gmail.com.
