And, for section 3.3 (CPs and CPSes), I am thinking that the same change should be made from 365 to 366 days, and that item 4 would read, "all CPs, CPSes, and combined CP/CPSes MUST be reviewed and updated as necessary at least once every 366 days." Ben
On Wed, Jul 26, 2023 at 3:35 PM Ben Wilson <bwil...@mozilla.com> wrote: > All, > For submission of self-assessments, what do people think about "at least > every 366 days" instead of the original proposal of 365 days? That gives > flexibility for leap years. > Ben > > On Thu, Jun 29, 2023 at 9:48 PM Antti Backman <anttidan...@gmail.com> > wrote: > >> I concur to Bruce's consern, >> >> Albeit not directly conserning this discussion, we already have this >> issue in our hands: >> https://www.chromium.org/Home/chromium-security/root-ca-policy/#6-annual-self-assessments >> >> But yes, this will be moving target, I would propose that this could be >> tight together with the end of audit period, which anyhow is hardcoded >> date. And maybe then similarly to posting audit reports having some fixed >> amount of days after the end of audit period this should (at least and at >> latest) be submitted. >> >> Antti Backman >> Telia Company >> >> torstai 29. kesäkuuta 2023 klo 22.36.32 UTC+3 Bruce Morton kirjoitti: >> >>> The issue I have with "at least every 365 days" is that I like to put >>> something on the schedule and do it the same month every year. We do this >>> with our annual compliance audit. If we have to provide the self-assessment >>> at least every 365 days, then each year it will be earlier to provide some >>> insurance time to meet the requirement. Is there any way we can provide the >>> requirement to stop this progression? Something like "on an annual basis, >>> but not more longer than 398-days". >>> >>> On Friday, June 23, 2023 at 12:05:03 PM UTC-4 Ben Wilson wrote: >>> >>>> All, >>>> >>>> Historically, Mozilla has required that CAs perform an annual >>>> Self-Assessment of their compliance with the CA/Browser Forum's TLS >>>> Baseline Requirements and Mozilla's Root Store Policy (MRSP). See >>>> https://wiki.mozilla.org/CA/Compliance_Self-Assessment. While there >>>> has not been any requirement that CAs submit their self-assessments to >>>> Mozilla, several CAs have had it a practice to do so. >>>> >>>> We would like to propose that the operators of TLS CAs (those with the >>>> websites trust bit enabled) be required to submit these self-assessments >>>> annually by providing a link to them in the Common CA Database (CCADB). >>>> Therefore, we are proposing a new section 3.4 in the MRSP to read as >>>> follows: >>>> >>>> ---- Begin Draft for MRSP----- >>>> >>>> 3.4 Compliance Self-Assessments >>>> Effective January 1, 2024, CA operators with CA certificates capable of >>>> issuing working TLS server certificates MUST complete a [Compliance >>>> Self-Assessment](https://www.ccadb.org/cas/self-assessment) at least >>>> every 365 days and provide the Common CA Database with the location where >>>> that Compliance Self-Assessment can be retrieved. >>>> >>>> ----- End Draft for MRSP ----- >>>> >>>> The effective date of January 1, 2024, is not intended to result in a >>>> huge batch of self-assessments being submitted that day. Rather, we would >>>> hope that CAs begin providing the locations of their self-assessments as >>>> soon as possible by completing the "Self-Assessment" section under the >>>> "Root Information" tab of an Add/Update Root Case in the CCADB >>>> <https://www.ccadb.org/cas/updates>. (The field for this information >>>> already exists in the CCADB under the heading "Self-Assessment".) >>>> >>>> Please provide any comments or suggestions. >>>> >>>> Thanks, >>>> >>>> Ben and Kathleen >>>> >>>> -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaxbRDcz6wPr1U-Q8bH1MqhYQbR99aKeRzm2u-L_Ht7VA%40mail.gmail.com.
