Section 2.2(3) defines very specific requirements for use of the BR 3.2.2.4
domain validation methods. Now that 3.2.2.4.11 (“any other method”) has
been removed from the BRs and ballot 218 [1] has passed, the Mozilla policy
is out-of-date. I propose the following changes:

* Remove the reference to BR version 1.4.1 and instead require compliance
with the current version. With the adoption of ballot 190 [2], the
reference to version 1.4.1 is no longer needed.
* Remove the reference to "10" methods, since the number is likely to
change.
* Add a new bullet on IP Address validation that forbids the use of BR
3.2.2.5(4) (“any other method”) and requires disclosure of IP Address
validation processes in the CA’s CP/CPS.
* Add the following language:

> Validation methods are occasionally found to contain security flaws. If
> this happens, Mozilla will communicate to CAs any disclosures or
> modifications it requires, up to and including discontinuing use of a
> method immediately.
>

I have intentionally not proposed a ban on methods 3.2.2.4.9 and 3.2.2.4.10
at this time. Work is underway in the IETF to fix method 10 [3], and I
suspect that the fix will be permitted under the existing 3.2.2.4.10
language. I’m proposing that we not make the use of any improved versions
of method 9 or 10 contingent on an update to our policy or on a BR change
that creates a new method number.

This is:
https://github.com/mozilla/pkipolicy/issues/121
https://github.com/mozilla/pkipolicy/issues/116
https://github.com/mozilla/pkipolicy/issues/115

[1] https://cabforum.org/2018/02/05/ballot-218-remove-
validation-methods-1-5/
[2] https://cabforum.org/2017/09/19/ballot-190-revised-
validation-requirements/
[3] https://datatracker.ietf.org/doc/draft-ietf-acme-tls-alpn/
-------

This is a proposed update to Mozilla's root store policy for version
2.6. Please keep discussion in this group rather than on GitHub. Silence
is consent.

Policy 2.5 (current version):
https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to