The issue I have with "at least every 365 days" is that I like to put something on the schedule and do it the same month every year. We do this with our annual compliance audit. If we have to provide the self-assessment at least every 365 days, then each year it will be earlier to provide some insurance time to meet the requirement. Is there any way we can provide the requirement to stop this progression? Something like "on an annual basis, but not more longer than 398-days".
On Friday, June 23, 2023 at 12:05:03 PM UTC-4 Ben Wilson wrote: > All, > > Historically, Mozilla has required that CAs perform an annual > Self-Assessment of their compliance with the CA/Browser Forum's TLS > Baseline Requirements and Mozilla's Root Store Policy (MRSP). See > https://wiki.mozilla.org/CA/Compliance_Self-Assessment. While there has > not been any requirement that CAs submit their self-assessments to Mozilla, > several CAs have had it a practice to do so. > > We would like to propose that the operators of TLS CAs (those with the > websites trust bit enabled) be required to submit these self-assessments > annually by providing a link to them in the Common CA Database (CCADB). > Therefore, we are proposing a new section 3.4 in the MRSP to read as > follows: > > ---- Begin Draft for MRSP----- > > 3.4 Compliance Self-Assessments > Effective January 1, 2024, CA operators with CA certificates capable of > issuing working TLS server certificates MUST complete a [Compliance > Self-Assessment](https://www.ccadb.org/cas/self-assessment) at least > every 365 days and provide the Common CA Database with the location where > that Compliance Self-Assessment can be retrieved. > > ----- End Draft for MRSP ----- > > The effective date of January 1, 2024, is not intended to result in a huge > batch of self-assessments being submitted that day. Rather, we would hope > that CAs begin providing the locations of their self-assessments as soon as > possible by completing the "Self-Assessment" section under the "Root > Information" tab of an Add/Update Root Case in the CCADB > <https://www.ccadb.org/cas/updates>. (The field for this information > already exists in the CCADB under the heading "Self-Assessment".) > > Please provide any comments or suggestions. > > Thanks, > > Ben and Kathleen > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/aec8a08d-6891-423b-81b1-34d7a52c10f2n%40mozilla.org.
