All, I've added Issue <https://github.com/mozilla/pkipolicy/issues/243> #243 <https://github.com/mozilla/pkipolicy/issues/243> to this list of version 2.8.1 candidates. Related to the "annual update" of a CA's CP/CPS, the change would replace "at least once every year" in item 4 of MRSP section 3.3, with "at least every 365 days". Some have suggested that the current language could be interpreted to mean a calendar year, which was not the intent. Section 2.3 of the Baseline Requirements, which says "annually update", may also need to be clarified. I'll post something separately to the CA/B Forum's server-cert-WG list. This proposed change will also align with the CCADB's built-in 365-day calculation, which checks CP/CPS publication dates. Ben
On Fri, Nov 11, 2022 at 11:50 AM Ben Wilson <[email protected]> wrote: > All, > > I have narrowed down proposed changes for the version 2.8.1 batch of > changes to clarifications needed in the Mozilla Root Store Policy (MRSP) to > the following: > > Issue #249 <https://github.com/mozilla/pkipolicy/issues/249> – Clarify > that CA operators are required to maintain *all* applicable CPs and CPSes > during the CA’s lifetime > > Issue #251 <https://github.com/mozilla/pkipolicy/issues/251> – Clarify > that CAs not issuing certificates are not required to provide Full CRL > information in the CCADB > > Issue #253 <https://github.com/mozilla/pkipolicy/issues/253> – Clarify > that a CA must clearly specify the procedures that it employs and state > each subsection of 3.2.2.4 that it is complying with > > Issue #256 <https://github.com/mozilla/pkipolicy/issues/256> – I propose > that we close this issue (require Issuing Distribution Point extensions in > sharded CRLs) because it has been addressed recently by CA/Browser Forum > Ballot SC-058 > <https://cabforum.org/2022/11/11/ballot-sc58-require-distributionpoint-in-sharded-crls/> > > Issue # 257 <https://github.com/mozilla/pkipolicy/issues/257> – Require > that CAs also follow discussions on the CCADB Public List > > Here is a redlined version of the MRSP with the proposed changes, as they > currently exist. > > > https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:pkipolicy:2.8.1 > > Please let me know if other "clean up" items should be added to this batch > of changes. > > I will start separate discussion on each of these, beginning with Issue > #251, because it has been noted recently that more clarification is needed, > and the proposed language doesn't yet fully address the issue, see e.g., > https://bugzilla.mozilla.org/show_bug.cgi?id=1793210. > > Thanks, > > Ben > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaOJPwFxoYZphm_v3_sV-rM_RDwU-67i1e9gX-aoBUaNQ%40mail.gmail.com.
