All, This email starts a discussion related to GitHub Issue #283 <https://github.com/mozilla/pkipolicy/issues/283> and Section 7.1 of the Mozilla Root Store Policy (MRSP), which deals with new root inclusions.
The purpose of this proposal is to encourage automation. Currently, the proposed amendment to section 7.1 of the MRSP, as drafted in GitHub <https://github.com/BenWilson-Mozilla/pkipolicy/commit/9f933ac3f1829418554da8aa24ea2a20174852df>, states, "Additionally, CA operators applying for inclusion of new TLS-issuing root certificates MUST demonstrate support for at least one automated method of certificate issuance for each type of TLS certificate (EV, OV, DV, IV) that the CA issues. This means (1) automated domain control validation, as defined in the TLS Baseline Requirements; and (2) automated certificate issuance and retrieval processes. Such automated methods MUST minimize hands-on human input during routine certificate issuance and renewal processes and comply with the TLS Baseline Requirements, and EV Guidelines, if applicable. Acceptable "hands-on" input includes initial software setup, configuration, updates, and identity verification where required. CA operators MUST disclose the URL for each such automation endpoint in the CCADB and renew test certificates using such capability at least every 30 days to demonstrate compliance with these automation requirements." This language needs some wordsmithing. Also, I have not yet added any language to address automated renewal. Suggested language is welcome. In the interest of brevity, additional guidance and/or specifics of implementation would be included in a wiki page, and it is a goal for these to be similar to those in the Chrome Root Program Policy, so that the impact on CA operators would be minimal. Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSvQWjAjBseFN1A1TNGk5LD6_07xOm9LuL8T_8sLupmg%40mail.gmail.com.
