Over the past 3 months, a number of other projects distracted me from this work. Now I'd like to focus on finishing these updates to our Root Store policy. There are roughly 6 issues remaining to be discussed, and I will, as always, greatly appreciate everyone's input on them. I'll be sending out individual emails on each issue.
Meanwhile, you can view a redline of the changes we previously agreed on: https://github.com/mozilla/pkipolicy/compare/master...2.7 - Wayne On Wed, Mar 27, 2019 at 4:12 PM Wayne Thayer <wtha...@mozilla.com> wrote: > I've added a few more issues that were recently created to the list for > 2.7: https://github.com/mozilla/pkipolicy/labels/2.7 > > 176 - Clarify revocation requirements for S/MIME certs > 175 - Forbidden Practices wiki page says email validation cannot be > delegated to 3rd parties > > I plan to begin posting issues for discussion shortly. > > > On Fri, Mar 8, 2019 at 2:12 PM Wayne Thayer <wtha...@mozilla.com> wrote: > >> Later this month, I would like to begin discussing a number of proposed >> changes to the Mozilla Root Store policy [1]. I have reviewed the list of >> issues on GitHub and labeled the ones that I recommend discussing: >> https://github.com/mozilla/pkipolicy/labels/2.7 They are: >> >> 173 - Strengthen requirement for newly included roots to meet all current >> requirements >> 172 - Update section 5.3 to include Policy Certification Authorities as >> an exception to the mandatory EKU inclusion requirement >> 171 - Require binding of CA certificates to CP/CPS >> 170 - Clarify Section 5.1 about allowed ECDSA curve-hash pair >> 169, 140 - Extend Section 8 to also encompass subordinate CAs >> 168, 161, 158 - Require Incident Reports, move practices into policy >> 163 - Require EKUs in end-entity certificates (S/MIME) >> 162 - Require disclosure of CA software vendor/version in incident report >> 159 - Clarify section 5.3.1 Technically Constrained >> 152 - Add EV audit exception for policy constrained intermediates >> 151 - Change PITRA to Point-in-Time assessment in section 8 >> >> I will appreciate any feedback on the proposed list of issues to discuss. >> >> I do recognize that the current DarkMatter discussions could result in >> the need to add some additional items to this list. >> >> I have created a new branch for drafting these changes [1] and made one >> commit that adds a bullet to the BR Conformance section informing the >> reader that Mozilla policy has a more restrictive list of approved >> algorithms [3] >> >> As we've done in the past, I plan to post individual issues for >> discussion in small batches over the next few months, with the goal of >> finalizing version 2.7 by June. >> >> - Wayne >> >> [1] >> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ >> [2] https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md >> [3] https://github.com/mozilla/pkipolicy/issues/167 >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
