Later this month, I would like to begin discussing a number of proposed changes to the Mozilla Root Store policy [1]. I have reviewed the list of issues on GitHub and labeled the ones that I recommend discussing: https://github.com/mozilla/pkipolicy/labels/2.7 They are:
173 - Strengthen requirement for newly included roots to meet all current requirements 172 - Update section 5.3 to include Policy Certification Authorities as an exception to the mandatory EKU inclusion requirement 171 - Require binding of CA certificates to CP/CPS 170 - Clarify Section 5.1 about allowed ECDSA curve-hash pair 169, 140 - Extend Section 8 to also encompass subordinate CAs 168, 161, 158 - Require Incident Reports, move practices into policy 163 - Require EKUs in end-entity certificates (S/MIME) 162 - Require disclosure of CA software vendor/version in incident report 159 - Clarify section 5.3.1 Technically Constrained 152 - Add EV audit exception for policy constrained intermediates 151 - Change PITRA to Point-in-Time assessment in section 8 I will appreciate any feedback on the proposed list of issues to discuss. I do recognize that the current DarkMatter discussions could result in the need to add some additional items to this list. I have created a new branch for drafting these changes [1] and made one commit that adds a bullet to the BR Conformance section informing the reader that Mozilla policy has a more restrictive list of approved algorithms [3] As we've done in the past, I plan to post individual issues for discussion in small batches over the next few months, with the goal of finalizing version 2.7 by June. - Wayne [1] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ [2] https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md [3] https://github.com/mozilla/pkipolicy/issues/167 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
