Thanks, Rob. I'll change it to a strong SHOULD. Ben On Wed, Jul 26, 2023 at 10:09 AM Rob Stradling <r...@sectigo.com> wrote:
> > CA operators MUST apply to Mozilla for inclusion of their next > generation root certificate at least 2 years before the distrust date of > the CA certificate they wish to replace. > > Hi Ben. I would interpret that sentence to mean that if a CA operator > misses the "at least 2 years" deadline then they are *forever forbidden* > from submitting a next generation root certificate for inclusion in > Mozilla's root store. Is that the intent? > > I think CAs should certainly be encouraged to submit next gen roots in a > timely fashion, and I think Mozilla shouldn't feel obliged to grant > extensions on to-be-replaced root removals in order to support CAs that > fail to do this "at least 2 years" in advance. However, I think "forever > forbidden" is unnecessarily harsh! > > So I suggest changing "MUST" to "SHOULD". > > ------------------------------ > *From:* dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> > on behalf of Ben Wilson <bwil...@mozilla.com> > *Sent:* 26 July 2023 16:42 > *To:* dev-secur...@mozilla.org <dev-security-policy@mozilla.org> > *Subject:* MRSP 2.9: Issue#232: Root CA Lifecycles > > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > All, > > We previously announced this change in policy over a year ago, and will be > finalizing it in Version 2.9 of the Mozilla Root Store Policy (MRSP). > Please review this addition, and let us know if you have any final > comments. > > ----- Begin MRSP Revision ----- > > > *7.4 Root CA Lifecycles * > For a root CA certificate trusted for server authentication, Mozilla will > remove the websites trust bit when the CA key material is more than 15 > years old. For a root CA certificate trusted for secure email, Mozilla will > set the "Distrust for S/MIME After Date" for the CA certificate to 18 years > from the CA key material generation date. The CA key material generation > date SHALL be determined by reference to the auditor-witnessed key > generation ceremony report. If the CA operator cannot provide the key > generation ceremony report for a root CA certificate created before July 1, > 2012, then Mozilla will use the “Valid From” date in the root CA > certificate to establish the key material generation date. For transition > purposes, root CA certificates in the Mozilla root store will be distrusted > according to the schedule located at > https://wiki.mozilla.org/CA/Root_CA_Lifecycles, which is subject to > change if underlying algorithms become more susceptible to cryptanalytic > attack or if other circumstances arise that make this schedule obsolete. > CA operators MUST apply to Mozilla for inclusion of their next generation > root certificate at least 2 years before the distrust date of the CA > certificate they wish to replace. > > ----- End MRSP Revision ----- > > Thanks, > > Ben > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabwQ0tiADoo-YNvCSuu3dAxTJOjSKnUbWb6NQasoejQKg%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabwQ0tiADoo-YNvCSuu3dAxTJOjSKnUbWb6NQasoejQKg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYs6mPsU_Hft__ygqm4_CO_2ySo%2Bkak%2B6QwWd66P%3Dobsw%40mail.gmail.com.