On 01/10/2019 00:45, Wayne Thayer via dev-security-policy wrote: > I've initiated a CAB Forum ballot [1] to resolve the inconsistency that Rob > identified.
Thanks Wayne. I've offered to endorse. > I also want to acknowledge the feedback from Google on the timing of this. > I can appreciate the framing of this as a new policy that's been added > without due process, but I view this as a clarification of existing > requirements. I view [4] as new policy that's been added without due process. I would have preferred to see your CABForum ballot [1] resolve this in the BRs first, so that CAs weren't faced with conflicting requirements. > Some CAs have already been held accountable for this requirement [2] > and some that have been paying close attention adhere to > it. Others were struggling to determine what to do. Under these > circumstances, it made no sense to me to roll back the policy, so the only > reasonable course was to clarify it in favor of the consensus that emerged > from this thread. Some CAs (including Sectigo, as I mentioned in an earlier message) are currently compliant with (quoting you [1])... "During a lengthy discussion on the mozilla.dev.security.policy forum, it was discovered that BR section 4.9.10 combined with BR section 7.1.2.5 prevents a CA from responding “good” for a precertificate." [1] ...but are not compliant with [4]. If/when your CABForum ballot [1] passes and (after the IPR period) takes effect, it will become possible for CAs to comply with [4] without falling out of compliance with the root program policies of Apple, Microsoft, etc, which incorporate the BRs but don't have a BR policy override equivalent to [4]). Until then, what does Mozilla expect CAs to do? > I'm still open to making changes to our "required practice" on > precertificates, but having caught up on the thread I don't think any > further changes are necessary. I propose that you update [4] to say that Mozilla won't treat non-compliance with [4] as an "incident" whilst it remains the case that the BRs are inconsistent with [4]. > - Wayne > > [1] https://cabforum.org/pipermail/servercert-wg/2019-September/001111.html > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1551390 > [3] > https://groups.google.com/d/msg/mozilla.dev.security.policy/PYIAoh6W6x0/R0gr1d6wBQAJ [4] https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates -- Rob Stradling Senior Research & Development Scientist Sectigo Limited _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy