All, I might try to get these in place before the end of 2022, but I think it's unlikely. While we're going through this process, please look at each proposed edit to the Mozilla Root Store Policy, identify any potential implementation-scheduling problems, and then communicate those back to the list. Thanks, Ben
On Tue, Nov 22, 2022 at 12:27 PM Aaron Poulsen <[email protected]> wrote: > Hi, Ben - I see in your redline that you removed the effective month/day > but kept '2022'. Is your intent to make these proposed changes effective by > end-of-year? > > On Monday, November 14, 2022 at 5:30:00 PM UTC-7 [email protected] wrote: > >> There is a possible correction to my last post re: 365 days, which might >> change to 398 days - see my comment here - >> https://github.com/cabforum/servercert/issues/370#issuecomment-1113441809 >> . >> >> On Mon, Nov 14, 2022 at 5:25 PM Ben Wilson <[email protected]> wrote: >> >>> All, >>> I've added Issue <https://github.com/mozilla/pkipolicy/issues/243> #243 >>> <https://github.com/mozilla/pkipolicy/issues/243> to this list of >>> version 2.8.1 candidates. Related to the "annual update" of a CA's CP/CPS, >>> the change would replace "at least once every year" in item 4 of MRSP >>> section 3.3, with "at least every 365 days". Some have suggested that the >>> current language could be interpreted to mean a calendar year, which was >>> not the intent. Section 2.3 of the Baseline Requirements, which says >>> "annually update", may also need to be clarified. I'll post something >>> separately to the CA/B Forum's server-cert-WG list. This proposed change >>> will also align with the CCADB's built-in 365-day calculation, which checks >>> CP/CPS publication dates. >>> Ben >>> >>> On Fri, Nov 11, 2022 at 11:50 AM Ben Wilson <[email protected]> wrote: >>> >>>> All, >>>> >>>> I have narrowed down proposed changes for the version 2.8.1 batch of >>>> changes to clarifications needed in the Mozilla Root Store Policy (MRSP) to >>>> the following: >>>> >>>> Issue #249 <https://github.com/mozilla/pkipolicy/issues/249> – Clarify >>>> that CA operators are required to maintain *all* applicable CPs and >>>> CPSes during the CA’s lifetime >>>> >>>> Issue #251 <https://github.com/mozilla/pkipolicy/issues/251> – Clarify >>>> that CAs not issuing certificates are not required to provide Full CRL >>>> information in the CCADB >>>> >>>> Issue #253 <https://github.com/mozilla/pkipolicy/issues/253> – Clarify >>>> that a CA must clearly specify the procedures that it employs and state >>>> each subsection of 3.2.2.4 that it is complying with >>>> >>>> Issue #256 <https://github.com/mozilla/pkipolicy/issues/256> – I >>>> propose that we close this issue (require Issuing Distribution Point >>>> extensions in sharded CRLs) because it has been addressed recently by >>>> CA/Browser >>>> Forum Ballot SC-058 >>>> <https://cabforum.org/2022/11/11/ballot-sc58-require-distributionpoint-in-sharded-crls/> >>>> >>>> Issue # 257 <https://github.com/mozilla/pkipolicy/issues/257> – >>>> Require that CAs also follow discussions on the CCADB Public List >>>> >>>> Here is a redlined version of the MRSP with the proposed changes, as >>>> they currently exist. >>>> >>>> >>>> https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:pkipolicy:2.8.1 >>>> >>>> Please let me know if other "clean up" items should be added to this >>>> batch of changes. >>>> >>>> I will start separate discussion on each of these, beginning with Issue >>>> #251, because it has been noted recently that more clarification is needed, >>>> and the proposed language doesn't yet fully address the issue, see e.g., >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1793210. >>>> >>>> Thanks, >>>> >>>> Ben >>>> >>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZN6CRY%3D6OL-fa%3DB-OUuNJxKbah7vn-A-4g7q%2Bx1fgmSg%40mail.gmail.com.
