All, This email announces discussion of three more GitHub issues that we would like to address in Version 2.9 of the Mozilla Root Store Policy (MRSP).
*#261 - Merge 5 and 5.1 in Section 2.1* <https://github.com/mozilla/pkipolicy/issues/261> Currently, item 5.1 in section 2.1 of the MRSP has a date of October 1, 2021, concerning server certificates issued on or after that date, which date is in the past. The updated item 5 in section 2.1 would combine items 5 and 5.1 and remove the date and state that CAs “verify each dNSName or IPAddress in a SAN or commonName in server certificates in accordance with sections 3.2.2.4 and 3.2.2.5 of the CA/Browser Forum's Baseline Requirements at intervals of 398 days or less, and verify that all other information that is included in server certificates remains current and correct at intervals of 825 days or less”. *#263 - Clarify sentence prohibiting blank sections that also contain no Subsections in CPs and CPSes <https://github.com/mozilla/pkipolicy/issues/263>* Currently, item 5 in MRSP section 3.3 says that CPs and CPSes must be structured according to RFC 3647. It has been argued that this is ambiguous, for instance, because RFC 3647 has more than one numbered outline. Also, the third bullet says that CPs/CPSes must “contain no sections that are blank and have no subsections”. That language was not intended to mean that a CP/CPS could not have any subsections. Therefore, item 5 in Section 3.3 should be clarified as follows: “all CPs, CPSes, and combined CP/CPSes MUST be structured according to the common outline set forth in section 6 of RFC 3647 ( https://datatracker.ietf.org/doc/html/rfc3647#section-6) and MUST: * include at least every section and subsection defined in section 6 of RFC 3647; * only use the words "No Stipulation" to mean that the particular document imposes no requirements related to that section; and * contain no sections that are entirely blank, having no text or subsections” *#267 - Update WebTrust and ETSI audit criteria to current versions and identifiers* <https://github.com/mozilla/pkipolicy/issues/267> WebTrust references would be updated to require that audits be performed in accordance with the following versions of the WebTrust criteria: · WebTrust Principles and Criteria for Certification Authorities – Version 2.2.2 or later; · WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security - Version 2.6 or later; and · WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.7.8 or later. Please provide your comments and suggestions as responses in this thread. Thanks, Ben and Kathleen -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaap4wDHwF5RLEL5CRS5UJBX5BoX29wQcOq-%2BUyB56Qk6A%40mail.gmail.com.
