There is a possible correction to my last post re: 365 days, which might change to 398 days - see my comment here - https://github.com/cabforum/servercert/issues/370#issuecomment-1113441809.
On Mon, Nov 14, 2022 at 5:25 PM Ben Wilson <[email protected]> wrote: > All, > I've added Issue <https://github.com/mozilla/pkipolicy/issues/243> #243 > <https://github.com/mozilla/pkipolicy/issues/243> to this list of version > 2.8.1 candidates. Related to the "annual update" of a CA's CP/CPS, the > change would replace "at least once every year" in item 4 of MRSP section > 3.3, with "at least every 365 days". Some have suggested that the current > language could be interpreted to mean a calendar year, which was not the > intent. Section 2.3 of the Baseline Requirements, which says "annually > update", may also need to be clarified. I'll post something separately to > the CA/B Forum's server-cert-WG list. This proposed change will also align > with the CCADB's built-in 365-day calculation, which checks CP/CPS > publication dates. > Ben > > On Fri, Nov 11, 2022 at 11:50 AM Ben Wilson <[email protected]> wrote: > >> All, >> >> I have narrowed down proposed changes for the version 2.8.1 batch of >> changes to clarifications needed in the Mozilla Root Store Policy (MRSP) to >> the following: >> >> Issue #249 <https://github.com/mozilla/pkipolicy/issues/249> – Clarify >> that CA operators are required to maintain *all* applicable CPs and >> CPSes during the CA’s lifetime >> >> Issue #251 <https://github.com/mozilla/pkipolicy/issues/251> – Clarify >> that CAs not issuing certificates are not required to provide Full CRL >> information in the CCADB >> >> Issue #253 <https://github.com/mozilla/pkipolicy/issues/253> – Clarify >> that a CA must clearly specify the procedures that it employs and state >> each subsection of 3.2.2.4 that it is complying with >> >> Issue #256 <https://github.com/mozilla/pkipolicy/issues/256> – I propose >> that we close this issue (require Issuing Distribution Point extensions in >> sharded CRLs) because it has been addressed recently by CA/Browser Forum >> Ballot SC-058 >> <https://cabforum.org/2022/11/11/ballot-sc58-require-distributionpoint-in-sharded-crls/> >> >> Issue # 257 <https://github.com/mozilla/pkipolicy/issues/257> – Require >> that CAs also follow discussions on the CCADB Public List >> >> Here is a redlined version of the MRSP with the proposed changes, as they >> currently exist. >> >> >> https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:pkipolicy:2.8.1 >> >> Please let me know if other "clean up" items should be added to this >> batch of changes. >> >> I will start separate discussion on each of these, beginning with Issue >> #251, because it has been noted recently that more clarification is needed, >> and the proposed language doesn't yet fully address the issue, see e.g., >> https://bugzilla.mozilla.org/show_bug.cgi?id=1793210. >> >> Thanks, >> >> Ben >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab%2BHgvFuYu96ooinEHAu2yCYcNPUWAbX3%3Ddfz7QbScN_Q%40mail.gmail.com.
