Section 2.2(3) defines very specific requirements for use of the BR 3.2.2.4 domain validation methods. Now that 3.2.2.4.11 (“any other method”) has been removed from the BRs and ballot 218 [1] has passed, the Mozilla policy is out-of-date. I propose the following changes:
* Remove the reference to BR version 1.4.1 and instead require compliance with the current version. With the adoption of ballot 190 [2], the reference to version 1.4.1 is no longer needed. * Remove the reference to "10" methods, since the number is likely to change. * Add a new bullet on IP Address validation that forbids the use of BR 3.2.2.5(4) (“any other method”) and requires disclosure of IP Address validation processes in the CA’s CP/CPS. * Add the following language: > Validation methods are occasionally found to contain security flaws. If > this happens, Mozilla will communicate to CAs any disclosures or > modifications it requires, up to and including discontinuing use of a > method immediately. > I have intentionally not proposed a ban on methods 3.2.2.4.9 and 3.2.2.4.10 at this time. Work is underway in the IETF to fix method 10 [3], and I suspect that the fix will be permitted under the existing 3.2.2.4.10 language. I’m proposing that we not make the use of any improved versions of method 9 or 10 contingent on an update to our policy or on a BR change that creates a new method number. This is: https://github.com/mozilla/pkipolicy/issues/121 https://github.com/mozilla/pkipolicy/issues/116 https://github.com/mozilla/pkipolicy/issues/115 [1] https://cabforum.org/2018/02/05/ballot-218-remove- validation-methods-1-5/ [2] https://cabforum.org/2017/09/19/ballot-190-revised- validation-requirements/ [3] https://datatracker.ietf.org/doc/draft-ietf-acme-tls-alpn/ ------- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
