The proposed change to a MUST is a good one, as I understand that disclosing the BR method numbers of the DV methods that the CA employs is already a requirement as documented in the CA Required or Recommended Practices [1]. This change will align the two documents.
Thanks, Corey [1] https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Domain_Name_Ownership On Tuesday, November 15, 2022 at 12:16:29 PM UTC-5 [email protected] wrote: > All, > > The purpose of this thread is to discuss any concerns or suggestions > regarding a sentence in item 3 of section 2.2 in the Mozilla Root Store > Policy > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#22-validation-practices>. > > In Mozilla's PKI Policy repository in GitHub, Issue #253 > <https://github.com/mozilla/pkipolicy/issues/253>, it is suggested that > we replace lower case "must" and uppercase "SHOULD" with uppercase "MUST". > > This sentence in MRSP section 2.2 would then read: > > The CA operator's CPS (or, if applicable, the CP or CP/CPS) must *MUST* > clearly specify the procedure(s) that the CA employs, and each documented > procedure SHOULD *MUST* state which subsection of 3.2.2.4 it is complying > with. > > (See also > https://github.com/BenWilson-Mozilla/pkipolicy/commit/389a73615e4658b49b346aeaecbb4dd8fca0c955 > ) > > Any thoughts or suggestions? > > Thanks, > > Ben > > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/fe91a19f-51a9-40fd-9b5b-4e9671b40654n%40mozilla.org.
