On 4/7/15 5:31 PM, Richard Barnes wrote:
As noted in our earlier conclusion with regard to CNNIC's status [1], the
CNNIC roots are currently in a partially disabled state, in which
certificates chaining to these roots are only to be accepted if they were
issued before 1 Apr 2015. CNNIC may reapply for full inclusion following
the normal process, along with any additional steps that this community
decides to require of them. The purpose of this thread is to discuss what
additional steps, if any, we should require.
CNNIC has already provided Mozilla with a list of certificates issued
before 1 Apr 2015. We are working on publishing this list. CNNIC has also
informed Mozilla that they plan to take the following steps:
<snip>
[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/czwlDNbwHXM/qPcyC_DWlSwJ
[2]
http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html
[3] http://tools.ietf.org/html/rfc6962
Here is my interpretation of the result of this discussion, and what I
should communicate to CNNIC...
CNNIC may re-apply for full inclusion following the normal process,
after they have completed the following additional steps.
1. Provide a list of changes CNNIC has implemented to ensure that there
are no future violations of Mozilla Policy and the Baseline Requirements.
2. Improve CNNIC’s process for authorizing intermediate CAs, and fully
document this improved process in the CP/CPS.
3. Include in this year's WebTrust audit an explicit confirmation by the
auditor that these changes have been implemented and enforced.
4. Provide auditor attestation that a full performance audit has been
performed confirming BR compliance according to
https://wiki.mozilla.org/CA:BaselineRequirements
5. April 1, 2016 is the earliest date at which CNNIC may apply for full
inclusion, so SSL certificates issued after Apr 1 2015 for new domains
will be recognized.
Please reply if I've missed anything that needs to be added to this list.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
