On Tue, April 7, 2015 5:31 pm, Richard Barnes wrote: > E. Require a certain amount of time to pass before CNNIC's re-inclusion > request will be considered.
I think this remains to be determined in relation to how Mozilla implements their stated policy of a date-based check - e.g. whether this is implemented in Firefox or NSS. Right now, every CA that wishes to apply for inclusion goes in a queue, and there are separate queues for new CAs versus Already included CAs (see https://wiki.mozilla.org/CA:Schedule ). Would CNNIC's presence in the NSS root store give it an advantage over other CAs applying either for inclusion or an updated status? Further, even after CAs are approved for inclusion, they're not directly included in to a Mozilla product until one of the quarterly updates / when there is a sufficient number of new roots. However, if implementing restrictions are done within Firefox, it might give CNNIC an advantage over other participants, in that CNNIC's restrictions can be lifted before other CAs (that were ahead in the queue and approval) are included. Another aspect to consider is Mozilla's inclusion policy with respect to BR audits. That is, https://wiki.mozilla.org/CA:BaselineRequirements#A_CA.27s_First_BR_Audit It would seem like scenario 4 applies ""4. Any CA who has received a qualified BR audit opinion (i.e. failing criteria) for its regular period of time audit and then conducts remediation may want a point in time audit to demonstrate their remediation efforts"" However, given the surrounding context, it would seem that, at the least, a full performance audit showing BR compliance over at least 60 days applies. This means CNNIC will produce new certificates, but they will not be trusted in clients. Alternatively, if CNNIC's disclosure of certificates reveals more BR violations, it might be argued that an untold number of the previously issued certificates may not conform to the BRs, which may require that the CA create a new root, per that same section. It would seem though that there is at least a lower bound of 60 days before the audit begins (for a period of time audit) before CNNIC can be considered for inclusion. If Mozilla opts not to set a minimum time, would it incentivize a "quick" audit that doesn't address the underlying issues noted by Mozilla? Would Mozilla accept a Point in Time Readiness Assessment for remediation of the issues? Would CNNIC be required, the same as other CAs doign PITRAs, to also perform a PoT assessment within 90 days of inclusion covering at least 60 days of issuance? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy