Re: Next Root Store Policy Update
We've concluded discussions on the individual issues and can begin work to finalize the version 2.7 Root Store Policy update. Here is a redline of all the changes: https://github.com/mozilla/pkipolicy/compare/master...2.7 (click on the Files Changed tab) As noted below, two of these changes include effective dates. Otherwise, CAs are expected to comply on or soon after the effective date of this version of the policy. I expect the effective date for this version to be sometime in December or early January. I will greatly appreciate everyone's review of and feedback on these changes. - Wayne Here is the status of the original set of issues: 176 - Clarify revocation requirements for S/MIME certs: included in the 2.7 draft policy: included in the 2.7 draft policy 175 - Forbidden Practices wiki page says email validation cannot be delegated to 3rd parties: included in the 2.7 draft policy 173 - Strengthen requirement for newly included roots to meet all current requirements: I decided to gather more information on the impact before proceeding with this change. 172 - Update section 5.3 to include Policy Certification Authorities as an exception to the mandatory EKU inclusion requirement: decided not to implement this. 171 - Require binding of CA certificates to CP/CPS: included in the 2.7 draft policy 170 - Clarify Section 5.1 about allowed ECDSA curve-hash pair: included in the 2.7 draft policy 169, 140 - Extend Section 8 to also encompass subordinate CAs: included in the 2.7 draft policy 168, 161, 158 - Require Incident Reports, move practices into policy: included in the 2.7 draft policy. Issue #158 may require CP/CPS updates and thus has an effective date of April 1, 2020 163 - Require EKUs in end-entity certificates (S/MIME): included in the 2.7 draft policy with an effective date of July 1, 2020 162 - Require disclosure of CA software vendor/version in incident report: decided not to implement this 159 - Clarify section 5.3.1 Technically Constrained: included in the 2.7 draft policy 152 - Add EV audit exception for policy constrained intermediates: I decided to defer this to a future policy discussion 151 - Change PITRA to Point-in-Time assessment in section 8: included in the 2.7 draft policy The following issues are also resolved in the 2.7 draft: 167 - Add P-521 exclusion to Baseline Requirements exceptions in section 2.3 177 - Clarify revocation requirements for intermediate certificates in regards to ca-compliance bugs 191 - Update section 1.2 to reflect creation of TLMC for appeals 193 - Require incident disclosure transitively for all sub-CAs - Wayne On Wed, Oct 2, 2019 at 3:17 PM Wayne Thayer wrote: > Over the past 3 months, a number of other projects distracted me from this > work. Now I'd like to focus on finishing these updates to our Root Store > policy. There are roughly 6 issues remaining to be discussed, and I will, > as always, greatly appreciate everyone's input on them. I'll be sending out > individual emails on each issue. > > Meanwhile, you can view a redline of the changes we previously agreed on: > https://github.com/mozilla/pkipolicy/compare/master...2.7 > > - Wayne > > On Wed, Mar 27, 2019 at 4:12 PM Wayne Thayer wrote: > >> I've added a few more issues that were recently created to the list for >> 2.7: https://github.com/mozilla/pkipolicy/labels/2.7 >> >> 176 - Clarify revocation requirements for S/MIME certs >> 175 - Forbidden Practices wiki page says email validation cannot be >> delegated to 3rd parties >> >> I plan to begin posting issues for discussion shortly. >> >> >> On Fri, Mar 8, 2019 at 2:12 PM Wayne Thayer wrote: >> >>> Later this month, I would like to begin discussing a number of proposed >>> changes to the Mozilla Root Store policy [1]. I have reviewed the list of >>> issues on GitHub and labeled the ones that I recommend discussing: >>> https://github.com/mozilla/pkipolicy/labels/2.7 They are: >>> >>> 173 - Strengthen requirement for newly included roots to meet all >>> current requirements >>> 172 - Update section 5.3 to include Policy Certification Authorities as >>> an exception to the mandatory EKU inclusion requirement >>> 171 - Require binding of CA certificates to CP/CPS >>> 170 - Clarify Section 5.1 about allowed ECDSA curve-hash pair >>> 169, 140 - Extend Section 8 to also encompass subordinate CAs >>> 168, 161, 158 - Require Incident Reports, move practices into policy >>> 163 - Require EKUs in end-entity certificates (S/MIME) >>> 162 - Require disclosure of CA software vendor/version in incident report >>> 159 - Clarify section 5.3.1 Technically Constrained >>> 152 - Add EV audit exception for policy constrained intermediates >>> 151 - Change PITRA to Point-in-Time assessment in section 8 >>> >>> I will appreciate any feedback on the proposed list of issues to discuss. >>> >>> I do recognize that the current DarkMatter discussions could result in >>> the need to add some additional items to this list. >>> >>> I have created a new branch for
RE: Next Root Store Policy Update
One suggestion on incident reports is to define "regularly update" as some period of time as non-responses can result in additional incident reports. Maybe something along the lines of "the greater of every 7 days, the time period specified in the next update field by Mozilla, or the time period for the next update as agreed upon with Mozilla". I'd also change "the corresponding bug is resolved by a Mozilla representative" to "the corresponding bug is marked as resolved in bugzilla by a Mozilla representative" since the CA is resolving the actual bug, and Mozilla is managing its perception on the bug's status. Jeremy -Original Message- From: dev-security-policy On Behalf Of Wayne Thayer via dev-security-policy Sent: Wednesday, October 2, 2019 4:17 PM To: mozilla-dev-security-policy Subject: Re: Next Root Store Policy Update Over the past 3 months, a number of other projects distracted me from this work. Now I'd like to focus on finishing these updates to our Root Store policy. There are roughly 6 issues remaining to be discussed, and I will, as always, greatly appreciate everyone's input on them. I'll be sending out individual emails on each issue. Meanwhile, you can view a redline of the changes we previously agreed on: https://github.com/mozilla/pkipolicy/compare/master...2.7 - Wayne On Wed, Mar 27, 2019 at 4:12 PM Wayne Thayer wrote: > I've added a few more issues that were recently created to the list > for > 2.7: https://github.com/mozilla/pkipolicy/labels/2.7 > > 176 - Clarify revocation requirements for S/MIME certs > 175 - Forbidden Practices wiki page says email validation cannot be > delegated to 3rd parties > > I plan to begin posting issues for discussion shortly. > > > On Fri, Mar 8, 2019 at 2:12 PM Wayne Thayer wrote: > >> Later this month, I would like to begin discussing a number of >> proposed changes to the Mozilla Root Store policy [1]. I have >> reviewed the list of issues on GitHub and labeled the ones that I recommend >> discussing: >> https://github.com/mozilla/pkipolicy/labels/2.7 They are: >> >> 173 - Strengthen requirement for newly included roots to meet all >> current requirements >> 172 - Update section 5.3 to include Policy Certification Authorities >> as an exception to the mandatory EKU inclusion requirement >> 171 - Require binding of CA certificates to CP/CPS >> 170 - Clarify Section 5.1 about allowed ECDSA curve-hash pair 169, >> 140 - Extend Section 8 to also encompass subordinate CAs 168, 161, >> 158 - Require Incident Reports, move practices into policy >> 163 - Require EKUs in end-entity certificates (S/MIME) >> 162 - Require disclosure of CA software vendor/version in incident >> report >> 159 - Clarify section 5.3.1 Technically Constrained >> 152 - Add EV audit exception for policy constrained intermediates >> 151 - Change PITRA to Point-in-Time assessment in section 8 >> >> I will appreciate any feedback on the proposed list of issues to discuss. >> >> I do recognize that the current DarkMatter discussions could result >> in the need to add some additional items to this list. >> >> I have created a new branch for drafting these changes [1] and made >> one commit that adds a bullet to the BR Conformance section informing >> the reader that Mozilla policy has a more restrictive list of >> approved algorithms [3] >> >> As we've done in the past, I plan to post individual issues for >> discussion in small batches over the next few months, with the goal >> of finalizing version 2.7 by June. >> >> - Wayne >> >> [1] >> https://www.mozilla.org/en-US/about/governance/policies/security-grou >> p/certs/policy/ [2] >> https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md >> [3] https://github.com/mozilla/pkipolicy/issues/167 >> > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Next Root Store Policy Update
Over the past 3 months, a number of other projects distracted me from this work. Now I'd like to focus on finishing these updates to our Root Store policy. There are roughly 6 issues remaining to be discussed, and I will, as always, greatly appreciate everyone's input on them. I'll be sending out individual emails on each issue. Meanwhile, you can view a redline of the changes we previously agreed on: https://github.com/mozilla/pkipolicy/compare/master...2.7 - Wayne On Wed, Mar 27, 2019 at 4:12 PM Wayne Thayer wrote: > I've added a few more issues that were recently created to the list for > 2.7: https://github.com/mozilla/pkipolicy/labels/2.7 > > 176 - Clarify revocation requirements for S/MIME certs > 175 - Forbidden Practices wiki page says email validation cannot be > delegated to 3rd parties > > I plan to begin posting issues for discussion shortly. > > > On Fri, Mar 8, 2019 at 2:12 PM Wayne Thayer wrote: > >> Later this month, I would like to begin discussing a number of proposed >> changes to the Mozilla Root Store policy [1]. I have reviewed the list of >> issues on GitHub and labeled the ones that I recommend discussing: >> https://github.com/mozilla/pkipolicy/labels/2.7 They are: >> >> 173 - Strengthen requirement for newly included roots to meet all current >> requirements >> 172 - Update section 5.3 to include Policy Certification Authorities as >> an exception to the mandatory EKU inclusion requirement >> 171 - Require binding of CA certificates to CP/CPS >> 170 - Clarify Section 5.1 about allowed ECDSA curve-hash pair >> 169, 140 - Extend Section 8 to also encompass subordinate CAs >> 168, 161, 158 - Require Incident Reports, move practices into policy >> 163 - Require EKUs in end-entity certificates (S/MIME) >> 162 - Require disclosure of CA software vendor/version in incident report >> 159 - Clarify section 5.3.1 Technically Constrained >> 152 - Add EV audit exception for policy constrained intermediates >> 151 - Change PITRA to Point-in-Time assessment in section 8 >> >> I will appreciate any feedback on the proposed list of issues to discuss. >> >> I do recognize that the current DarkMatter discussions could result in >> the need to add some additional items to this list. >> >> I have created a new branch for drafting these changes [1] and made one >> commit that adds a bullet to the BR Conformance section informing the >> reader that Mozilla policy has a more restrictive list of approved >> algorithms [3] >> >> As we've done in the past, I plan to post individual issues for >> discussion in small batches over the next few months, with the goal of >> finalizing version 2.7 by June. >> >> - Wayne >> >> [1] >> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ >> [2] https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md >> [3] https://github.com/mozilla/pkipolicy/issues/167 >> > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Next Root Store Policy Update
I've added a few more issues that were recently created to the list for 2.7: https://github.com/mozilla/pkipolicy/labels/2.7 176 - Clarify revocation requirements for S/MIME certs 175 - Forbidden Practices wiki page says email validation cannot be delegated to 3rd parties I plan to begin posting issues for discussion shortly. On Fri, Mar 8, 2019 at 2:12 PM Wayne Thayer wrote: > Later this month, I would like to begin discussing a number of proposed > changes to the Mozilla Root Store policy [1]. I have reviewed the list of > issues on GitHub and labeled the ones that I recommend discussing: > https://github.com/mozilla/pkipolicy/labels/2.7 They are: > > 173 - Strengthen requirement for newly included roots to meet all current > requirements > 172 - Update section 5.3 to include Policy Certification Authorities as an > exception to the mandatory EKU inclusion requirement > 171 - Require binding of CA certificates to CP/CPS > 170 - Clarify Section 5.1 about allowed ECDSA curve-hash pair > 169, 140 - Extend Section 8 to also encompass subordinate CAs > 168, 161, 158 - Require Incident Reports, move practices into policy > 163 - Require EKUs in end-entity certificates (S/MIME) > 162 - Require disclosure of CA software vendor/version in incident report > 159 - Clarify section 5.3.1 Technically Constrained > 152 - Add EV audit exception for policy constrained intermediates > 151 - Change PITRA to Point-in-Time assessment in section 8 > > I will appreciate any feedback on the proposed list of issues to discuss. > > I do recognize that the current DarkMatter discussions could result in the > need to add some additional items to this list. > > I have created a new branch for drafting these changes [1] and made one > commit that adds a bullet to the BR Conformance section informing the > reader that Mozilla policy has a more restrictive list of approved > algorithms [3] > > As we've done in the past, I plan to post individual issues for discussion > in small batches over the next few months, with the goal of finalizing > version 2.7 by June. > > - Wayne > > [1] > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ > [2] https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md > [3] https://github.com/mozilla/pkipolicy/issues/167 > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Next Root Store Policy Update
Later this month, I would like to begin discussing a number of proposed changes to the Mozilla Root Store policy [1]. I have reviewed the list of issues on GitHub and labeled the ones that I recommend discussing: https://github.com/mozilla/pkipolicy/labels/2.7 They are: 173 - Strengthen requirement for newly included roots to meet all current requirements 172 - Update section 5.3 to include Policy Certification Authorities as an exception to the mandatory EKU inclusion requirement 171 - Require binding of CA certificates to CP/CPS 170 - Clarify Section 5.1 about allowed ECDSA curve-hash pair 169, 140 - Extend Section 8 to also encompass subordinate CAs 168, 161, 158 - Require Incident Reports, move practices into policy 163 - Require EKUs in end-entity certificates (S/MIME) 162 - Require disclosure of CA software vendor/version in incident report 159 - Clarify section 5.3.1 Technically Constrained 152 - Add EV audit exception for policy constrained intermediates 151 - Change PITRA to Point-in-Time assessment in section 8 I will appreciate any feedback on the proposed list of issues to discuss. I do recognize that the current DarkMatter discussions could result in the need to add some additional items to this list. I have created a new branch for drafting these changes [1] and made one commit that adds a bullet to the BR Conformance section informing the reader that Mozilla policy has a more restrictive list of approved algorithms [3] As we've done in the past, I plan to post individual issues for discussion in small batches over the next few months, with the goal of finalizing version 2.7 by June. - Wayne [1] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ [2] https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md [3] https://github.com/mozilla/pkipolicy/issues/167 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy