On Wednesday, October 25, 2017 at 1:34:03 PM UTC-7, Jeremy Rowley wrote: > Some initial thoughts > 1. I'm a bit confused by bullet #2 in the survey. Wasn't it already the > Mozilla policy that CAs could only use the blessed 10 methods of validation? > I thought this was communicated in the previous letter?
It was in the April 2017 CA Communication: https://wiki.mozilla.org/CA/Communications#April_2017 But it was not specifically stated in previous versions of Mozilla's Root Store Policy: https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md I updated ACTION 1 to separate the changes into two lists: - Changes that most likely require CA action - Changes that are clarification of previously expected practice or policy Does that help? > 2. On bullet #3, I'm reading the wording to mean either 1) disclosed and > audited or 2) revoked, not disclosed and either a) revoked or b) audited, > correct? Rewording the language to be "must be either audited and disclosed > or revoked in the Common CA Database" might clarify between the two. This is referring to the item starting with: "Additional requirements were added for intermediate certificates that are used to sign certificates for S/MIME." So, this is now the first bullet in Action 1. Text updated. > 3. On bullet #3, should you specify what audits are required for s/MIME in > the email? There might be confusion between the two audit questions that > interprets s/MIME as requiring a BR audit. This might not be worth > clarifying though as all CAs should understand the purpose of each audit. Added sentence: "See Section1.3.2 of Mozilla's Root Store Policy for details about required audits." with link to: https://www.mozilla.org/about/governance/policies/security-group/certs/policy#required-audits > 4. On action 4, how often will Mozilla require BR Self assessments? Should > you state that Mozilla may require them on a periodic basis going forward? It is now part of our root inclusion/update process, but otherwise we have not yet decided if this will be a regularly-recurring exercise. How about if I add a sentence like the following? "We recommend that you perform a BR Self Self Assessment on a periodic basis to ensure that your CA is aware of and following updates to the BRs." > 5. On action 7, I'm unaware of any CT discussions currently ongoing at the > CAB Forum or Mozilla list. Could you provide a link or further intent on > what we're watching for? This is currently a place holder. I would like to say something about CT, but still have to figure it out. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
