On 01/10/2019 00:45, Wayne Thayer via dev-security-policy wrote:
> I've initiated a CAB Forum ballot [1] to resolve the inconsistency that Rob
> identified.
Thanks Wayne. I've offered to endorse.
> I also want to acknowledge the feedback from Google on the timing of this.
> I can appreciate the framing of this as a new policy that's been added
> without due process, but I view this as a clarification of existing
> requirements.
I view [4] as new policy that's been added without due process. I would
have preferred to see your CABForum ballot [1] resolve this in the BRs
first, so that CAs weren't faced with conflicting requirements.
> Some CAs have already been held accountable for this requirement [2]
> and some that have been paying close attention adhere to
> it. Others were struggling to determine what to do. Under these
> circumstances, it made no sense to me to roll back the policy, so the only
> reasonable course was to clarify it in favor of the consensus that emerged
> from this thread.
Some CAs (including Sectigo, as I mentioned in an earlier message) are
currently compliant with (quoting you [1])...
"During a lengthy discussion on the mozilla.dev.security.policy forum,
it was discovered that BR section 4.9.10 combined with BR
section 7.1.2.5 prevents a CA from responding “good” for a
precertificate." [1]
...but are not compliant with [4].
If/when your CABForum ballot [1] passes and (after the IPR period) takes
effect, it will become possible for CAs to comply with [4] without
falling out of compliance with the root program policies of Apple,
Microsoft, etc, which incorporate the BRs but don't have a BR policy
override equivalent to [4]). Until then, what does Mozilla expect CAs
to do?
> I'm still open to making changes to our "required practice" on
> precertificates, but having caught up on the thread I don't think any
> further changes are necessary.
I propose that you update [4] to say that Mozilla won't treat
non-compliance with [4] as an "incident" whilst it remains the case that
the BRs are inconsistent with [4].
> - Wayne
>
> [1] https://cabforum.org/pipermail/servercert-wg/2019-September/001111.html
> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1551390
> [3]
> https://groups.google.com/d/msg/mozilla.dev.security.policy/PYIAoh6W6x0/R0gr1d6wBQAJ
[4]
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates
--
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
