All, For submission of self-assessments, what do people think about "at least every 366 days" instead of the original proposal of 365 days? That gives flexibility for leap years. Ben
On Thu, Jun 29, 2023 at 9:48 PM Antti Backman <anttidan...@gmail.com> wrote: > I concur to Bruce's consern, > > Albeit not directly conserning this discussion, we already have this issue > in our hands: > https://www.chromium.org/Home/chromium-security/root-ca-policy/#6-annual-self-assessments > > But yes, this will be moving target, I would propose that this could be > tight together with the end of audit period, which anyhow is hardcoded > date. And maybe then similarly to posting audit reports having some fixed > amount of days after the end of audit period this should (at least and at > latest) be submitted. > > Antti Backman > Telia Company > > torstai 29. kesäkuuta 2023 klo 22.36.32 UTC+3 Bruce Morton kirjoitti: > >> The issue I have with "at least every 365 days" is that I like to put >> something on the schedule and do it the same month every year. We do this >> with our annual compliance audit. If we have to provide the self-assessment >> at least every 365 days, then each year it will be earlier to provide some >> insurance time to meet the requirement. Is there any way we can provide the >> requirement to stop this progression? Something like "on an annual basis, >> but not more longer than 398-days". >> >> On Friday, June 23, 2023 at 12:05:03 PM UTC-4 Ben Wilson wrote: >> >>> All, >>> >>> Historically, Mozilla has required that CAs perform an annual >>> Self-Assessment of their compliance with the CA/Browser Forum's TLS >>> Baseline Requirements and Mozilla's Root Store Policy (MRSP). See >>> https://wiki.mozilla.org/CA/Compliance_Self-Assessment. While there has >>> not been any requirement that CAs submit their self-assessments to Mozilla, >>> several CAs have had it a practice to do so. >>> >>> We would like to propose that the operators of TLS CAs (those with the >>> websites trust bit enabled) be required to submit these self-assessments >>> annually by providing a link to them in the Common CA Database (CCADB). >>> Therefore, we are proposing a new section 3.4 in the MRSP to read as >>> follows: >>> >>> ---- Begin Draft for MRSP----- >>> >>> 3.4 Compliance Self-Assessments >>> Effective January 1, 2024, CA operators with CA certificates capable of >>> issuing working TLS server certificates MUST complete a [Compliance >>> Self-Assessment](https://www.ccadb.org/cas/self-assessment) at least >>> every 365 days and provide the Common CA Database with the location where >>> that Compliance Self-Assessment can be retrieved. >>> >>> ----- End Draft for MRSP ----- >>> >>> The effective date of January 1, 2024, is not intended to result in a >>> huge batch of self-assessments being submitted that day. Rather, we would >>> hope that CAs begin providing the locations of their self-assessments as >>> soon as possible by completing the "Self-Assessment" section under the >>> "Root Information" tab of an Add/Update Root Case in the CCADB >>> <https://www.ccadb.org/cas/updates>. (The field for this information >>> already exists in the CCADB under the heading "Self-Assessment".) >>> >>> Please provide any comments or suggestions. >>> >>> Thanks, >>> >>> Ben and Kathleen >>> >>> -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYZeN6siOHym3YLeVAGB2rhvZ6mZ706Y44qN5cHRzE%2B6Q%40mail.gmail.com.
