Hi all, Though we’re not at the point of filing an application for Mozilla’s root program, I wanted to share with this community the beginnings of an effort by the US government to start a new PKI intended for publicly trusted certificates. This effort is being led by the General Services Administration and the Department of Defense.
Our goal is to start a new root and set of issuing CAs that is completely disconnected and separate from the existing Federal PKI bridge network that members of the web PKI community may be familiar with. The existing Federal PKI is used to issue many kinds of certificates, including those used for enterprise devices and for government personal identity verification (PIV). This new hierarchy would focus only on certificates intended for devices on the internet, rather than people, and their operation and policies are intended to adhere strictly to web PKI requirements, as expressed through the CA/Browser Forum’s Baseline Requirements and those of various root programs. In addition, this hierarchy is intended only to serve US government operated devices, and so we welcome appropriately narrow name constraints that reflect that. . While we’re still in the early stages, we are working on the root policy documents -- including a CP, CPS, and various certificate profiles -- in public on GitHub: https://github.com/uspki/policies One additional thing I’d like to mention is that we’re fully in support of the goals of Certificate Transparency. This project was initiated prior to Chrome announcing its October 2017 CT requirement, and our intent from the beginning has been to log 100% of issued certificates, with no special need for redaction. As part of this, we are evaluating the possibility of creating a new CT log that can issue SCTs considered valid by browsers for policy enforcement. We generally intend the issuing CAs to support automated certificate issuance, which includes evaluating existing standard protocols. In general, we expect to use and support open standards and open source tools where they support the effort. Since we’re not yet an applicant, this forum may not be the best place for an extended discussion (though we’re happy to engage in discussion here if people would like), but we’re actively seeking public participation and input during the process -- issues and pull requests to the GitHub repository above are quite welcome, and we’ll create additional repos as we go for other parts of the project. As we make progress, we hope to contribute positively to the web PKI and CT ecosystem, and we plan to be engaging publicly with the community here and other places along the way. -- Eric (P.S. This is my first email to the list from my work .gov address, so I'll just quick note that that means I'm speaking in my work capacity. Emails that are not from my work address are not speaking in my work capacity.) -- Eric Mill Senior Advisor, Technology Transformation Service, GSA eric.m...@gsa.gov, +1-617-314-0966 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy