All, I don't believe we received any comments or questions, and the proposed changes have been made to the draft version of MRSP v.2.9. Therefore, I will assume that discussion of these issues can now be closed. Thanks, Ben
On Thu, Jul 13, 2023 at 2:23 PM Ben Wilson <bwil...@mozilla.com> wrote: > All, > > This email announces discussion of three more GitHub issues that we would > like to address in Version 2.9 of the Mozilla Root Store Policy (MRSP). > > *#261 - Merge 5 and 5.1 in Section 2.1* > <https://github.com/mozilla/pkipolicy/issues/261> > > Currently, item 5.1 in section 2.1 of the MRSP has a date of October 1, > 2021, concerning server certificates issued on or after that date, which > date is in the past. > > The updated item 5 in section 2.1 would combine items 5 and 5.1 and remove > the date and state that CAs “verify each dNSName or IPAddress in a SAN or > commonName in server certificates in accordance with sections 3.2.2.4 and > 3.2.2.5 of the CA/Browser Forum's Baseline Requirements at intervals of 398 > days or less, and verify that all other information that is included in > server certificates remains current and correct at intervals of 825 days or > less”. > > *#263 - Clarify sentence prohibiting blank sections that also contain no > Subsections in CPs and CPSes > <https://github.com/mozilla/pkipolicy/issues/263>* > > Currently, item 5 in MRSP section 3.3 says that CPs and CPSes must be > structured according to RFC 3647. It has been argued that this is > ambiguous, for instance, because RFC 3647 has more than one numbered > outline. Also, the third bullet says that CPs/CPSes must “contain no > sections that are blank and have no subsections”. That language was not > intended to mean that a CP/CPS could not have any subsections. Therefore, > item 5 in Section 3.3 should be clarified as follows: > > “all CPs, CPSes, and combined CP/CPSes MUST be structured according to the > common outline set forth in section 6 of RFC 3647 ( > https://datatracker.ietf.org/doc/html/rfc3647#section-6) and MUST: > > * include at least every section and subsection defined in section 6 of > RFC 3647; > > * only use the words "No Stipulation" to mean that the particular document > imposes no requirements related to that section; and > > * contain no sections that are entirely blank, having no text or > subsections” > > *#267 - Update WebTrust and ETSI audit criteria to current versions and > identifiers* <https://github.com/mozilla/pkipolicy/issues/267> > > WebTrust references would be updated to require that audits be performed > in accordance with the following versions of the WebTrust criteria: > > · WebTrust Principles and Criteria for Certification Authorities – > Version 2.2.2 or later; > > · WebTrust Principles and Criteria for Certification Authorities – > SSL Baseline with Network Security - Version 2.6 or later; and > > · WebTrust Principles and Criteria for Certification Authorities - > Extended Validation SSL - Version 1.7.8 or later. > > Please provide your comments and suggestions as responses in this thread. > > Thanks, > > Ben and Kathleen > > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYpyURx6tLnreU0BxoTzkOSD4OAvSntBV8YsXfnekJfaw%40mail.gmail.com.