Re: MRSP 2.9: Issues #252 and #266 - Incident Reporting

2023-07-26 Thread Ben Wilson
All, We have created a draft wiki page to explain vulnerability disclosure being proposed for v. 2.9 of the MRSP. See https://wiki.mozilla.org/CA/Vulnerability_Disclosure. We did not want to confuse this security vulnerability reporting

Re: MRSP 2.9: Issue #123: Annual Compliance Self-Assessment

2023-07-26 Thread Ben Wilson
And, for section 3.3 (CPs and CPSes), I am thinking that the same change should be made from 365 to 366 days, and that item 4 would read, "all CPs, CPSes, and combined CP/CPSes MUST be reviewed and updated as necessary at least once every 366 days." Ben On Wed, Jul 26, 2023 at 3:35 PM Ben Wilson

Re: MRSP 2.9: Issue #123: Annual Compliance Self-Assessment

2023-07-26 Thread Ben Wilson
All, For submission of self-assessments, what do people think about "at least every 366 days" instead of the original proposal of 365 days? That gives flexibility for leap years. Ben On Thu, Jun 29, 2023 at 9:48 PM Antti Backman wrote: > I concur to Bruce's consern, > > Albeit not directly

Re: MRSP 2.9: Issue#232: Root CA Lifecycles

2023-07-26 Thread Ben Wilson
Thanks, Rob. I'll change it to a strong SHOULD. Ben On Wed, Jul 26, 2023 at 10:09 AM Rob Stradling wrote: > > CA operators MUST apply to Mozilla for inclusion of their next > generation root certificate at least 2 years before the distrust date of > the CA certificate they wish to replace. > >

RE: MRSP 2.9: S/MIME BRs and Audits

2023-07-26 Thread 'Christophe Bonjean' via dev-security-policy@mozilla.org
Hi Ben Thanks for the proposed changes to the wording – this resolves my concerns. Christophe From: Ben Wilson Sent: Wednesday, July 19, 2023 11:06 PM To: Christophe Bonjean Cc: dev-secur...@mozilla.org Subject: Re: MRSP 2.9: S/MIME BRs and Audits All, For comment and

Re: MRSP 2.9: Issue#232: Root CA Lifecycles

2023-07-26 Thread 'Rob Stradling' via dev-security-policy@mozilla.org
> CA operators MUST apply to Mozilla for inclusion of their next generation > root certificate at least 2 years before the distrust date of the CA > certificate they wish to replace. Hi Ben. I would interpret that sentence to mean that if a CA operator misses the "at least 2 years" deadline

MRSP 2.9: Issue#232: Root CA Lifecycles

2023-07-26 Thread Ben Wilson
All, We previously announced this change in policy over a year ago, and will be finalizing it in Version 2.9 of the Mozilla Root Store Policy (MRSP). Please review this addition, and let us know if you have any final comments. - Begin MRSP Revision - *7.4 Root CA Lifecycles* For a root