Hi, Ben - I see in your redline that you removed the effective month/day but kept '2022'. Is your intent to make these proposed changes effective by end-of-year?
On Monday, November 14, 2022 at 5:30:00 PM UTC-7 [email protected] wrote: > There is a possible correction to my last post re: 365 days, which might > change to 398 days - see my comment here - > https://github.com/cabforum/servercert/issues/370#issuecomment-1113441809. > > On Mon, Nov 14, 2022 at 5:25 PM Ben Wilson <[email protected]> wrote: > >> All, >> I've added Issue <https://github.com/mozilla/pkipolicy/issues/243> #243 >> <https://github.com/mozilla/pkipolicy/issues/243> to this list of >> version 2.8.1 candidates. Related to the "annual update" of a CA's CP/CPS, >> the change would replace "at least once every year" in item 4 of MRSP >> section 3.3, with "at least every 365 days". Some have suggested that the >> current language could be interpreted to mean a calendar year, which was >> not the intent. Section 2.3 of the Baseline Requirements, which says >> "annually update", may also need to be clarified. I'll post something >> separately to the CA/B Forum's server-cert-WG list. This proposed change >> will also align with the CCADB's built-in 365-day calculation, which checks >> CP/CPS publication dates. >> Ben >> >> On Fri, Nov 11, 2022 at 11:50 AM Ben Wilson <[email protected]> wrote: >> >>> All, >>> >>> I have narrowed down proposed changes for the version 2.8.1 batch of >>> changes to clarifications needed in the Mozilla Root Store Policy (MRSP) to >>> the following: >>> >>> Issue #249 <https://github.com/mozilla/pkipolicy/issues/249> – Clarify >>> that CA operators are required to maintain *all* applicable CPs and >>> CPSes during the CA’s lifetime >>> >>> Issue #251 <https://github.com/mozilla/pkipolicy/issues/251> – Clarify >>> that CAs not issuing certificates are not required to provide Full CRL >>> information in the CCADB >>> >>> Issue #253 <https://github.com/mozilla/pkipolicy/issues/253> – Clarify >>> that a CA must clearly specify the procedures that it employs and state >>> each subsection of 3.2.2.4 that it is complying with >>> >>> Issue #256 <https://github.com/mozilla/pkipolicy/issues/256> – I >>> propose that we close this issue (require Issuing Distribution Point >>> extensions in sharded CRLs) because it has been addressed recently by >>> CA/Browser >>> Forum Ballot SC-058 >>> <https://cabforum.org/2022/11/11/ballot-sc58-require-distributionpoint-in-sharded-crls/> >>> >>> Issue # 257 <https://github.com/mozilla/pkipolicy/issues/257> – Require >>> that CAs also follow discussions on the CCADB Public List >>> >>> Here is a redlined version of the MRSP with the proposed changes, as >>> they currently exist. >>> >>> >>> https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:pkipolicy:2.8.1 >>> >>> >>> Please let me know if other "clean up" items should be added to this >>> batch of changes. >>> >>> I will start separate discussion on each of these, beginning with Issue >>> #251, because it has been noted recently that more clarification is needed, >>> and the proposed language doesn't yet fully address the issue, see e.g., >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1793210. >>> >>> Thanks, >>> >>> Ben >>> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a7b11a0d-ff15-45a4-b402-7fa862a43440n%40mozilla.org.
