That approach could work.
From: Wayne Thayer <wtha...@mozilla.com> Sent: Friday, May 3, 2019 1:19 PM To: Ben Wilson <ben.wil...@digicert.com> Cc: Andrew Ayer <a...@andrewayer.name>; Corey Bonnell <cbonn...@outlook.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Unretrievable CPS documents listed in CCADB On Fri, May 3, 2019 at 8:36 AM Ben Wilson via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: I'm against having to continually update the exact URL of the CP and CPS in the CCADB. A relatively simple solution to this problem is to create a "permanent link" to the current version of these docs (e.g. https://digicert.com/repository/current_cp.pdf), then modify or redirect the document that the link returns each time the document is updated as part of the publishing process. Under this scheme, the CA should never need to worry about updating CCADB. It's pretty easy to find the current CP and CPS from a legal repository. But not as easy as getting it from a CCADB report, especially when the repository page doesn't clearly map a policy to a CA certificate. Plus, if we point to an exact one in the CCADB, it might not be the one that is applicable to a given certificate that was issued prior to the most current CPS. In other words, you should look at when the certificate was issued and then figure out which CPS is applicable. I'm almost always looking for the current policy rather than trying to identify the version applicable to a specific certificate. -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org <mailto:dev-security-policy-boun...@lists.mozilla.org> > On Behalf Of Andrew Ayer via dev-security-policy Sent: Thursday, May 2, 2019 8:16 PM To: mozilla-dev-security-pol...@lists.mozilla.org <mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Unretrievable CPS documents listed in CCADB On Thu, 2 May 2019 18:53:39 -0700 (PDT) Corey Bonnell via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: > As an aside, I noticed that several URLs listed in CCADB are “Legal > Repository” web page URLs that contain a list of many CP/CPS > documents. My recommendation is to slightly amend CCADB Policy to > require CAs to provide URLs to the specific document in question > rather than a general “Legal Repository” page, where it is left up to > the reader to decide which hyperlink on the page is the correct > document. +1. It's often a real hassle to find the CP/CPS for a CA. Linking directly to the document would help a lot.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
