One suggestion on incident reports is to define "regularly update" as some 
period of time as non-responses can result in additional incident reports.  
Maybe something along the lines of "the greater of every 7 days, the time 
period specified in the next update field by Mozilla, or the time period for 
the next update as agreed upon with Mozilla". I'd also change "the 
corresponding bug is resolved by a Mozilla representative" to "the 
corresponding bug is marked as resolved in bugzilla by a Mozilla 
representative" since the CA is resolving the actual bug, and Mozilla is 
managing its perception on the bug's status.

Jeremy

-----Original Message-----
From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On 
Behalf Of Wayne Thayer via dev-security-policy
Sent: Wednesday, October 2, 2019 4:17 PM
To: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: Next Root Store Policy Update

Over the past 3 months, a number of other projects distracted me from this 
work. Now I'd like to focus on finishing these updates to our Root Store 
policy. There are roughly 6 issues remaining to be discussed, and I will, as 
always, greatly appreciate everyone's input on them. I'll be sending out 
individual emails on each issue.

Meanwhile, you can view a redline of the changes we previously agreed on:
https://github.com/mozilla/pkipolicy/compare/master...2.7

- Wayne

On Wed, Mar 27, 2019 at 4:12 PM Wayne Thayer <wtha...@mozilla.com> wrote:

> I've added a few more issues that were recently created to the list 
> for
> 2.7: https://github.com/mozilla/pkipolicy/labels/2.7
>
> 176 - Clarify revocation requirements for S/MIME certs
> 175 - Forbidden Practices wiki page says email validation cannot be 
> delegated to 3rd parties
>
> I plan to begin posting issues for discussion shortly.
>
>
> On Fri, Mar 8, 2019 at 2:12 PM Wayne Thayer <wtha...@mozilla.com> wrote:
>
>> Later this month, I would like to begin discussing a number of 
>> proposed changes to the Mozilla Root Store policy [1]. I have 
>> reviewed the list of issues on GitHub and labeled the ones that I recommend 
>> discussing:
>> https://github.com/mozilla/pkipolicy/labels/2.7 They are:
>>
>> 173 - Strengthen requirement for newly included roots to meet all 
>> current requirements
>> 172 - Update section 5.3 to include Policy Certification Authorities 
>> as an exception to the mandatory EKU inclusion requirement
>> 171 - Require binding of CA certificates to CP/CPS
>> 170 - Clarify Section 5.1 about allowed ECDSA curve-hash pair 169, 
>> 140 - Extend Section 8 to also encompass subordinate CAs 168, 161, 
>> 158  - Require Incident Reports, move practices into policy
>> 163 - Require EKUs in end-entity certificates (S/MIME)
>> 162 - Require disclosure of CA software vendor/version in incident 
>> report
>> 159 - Clarify section 5.3.1 Technically Constrained
>> 152 - Add EV audit exception for policy constrained intermediates
>> 151 - Change PITRA to Point-in-Time assessment in section 8
>>
>> I will appreciate any feedback on the proposed list of issues to discuss.
>>
>> I do recognize that the current DarkMatter discussions could result 
>> in the need to add some additional items to this list.
>>
>> I have created a new branch for drafting these changes [1] and made 
>> one commit that adds a bullet to the BR Conformance section informing 
>> the reader that Mozilla policy has a more restrictive list of 
>> approved algorithms [3]
>>
>> As we've done in the past, I plan to post individual issues for 
>> discussion in small batches over the next few months, with the goal 
>> of finalizing version 2.7 by June.
>>
>> - Wayne
>>
>> [1]
>> https://www.mozilla.org/en-US/about/governance/policies/security-grou
>> p/certs/policy/ [2] 
>> https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md
>> [3] https://github.com/mozilla/pkipolicy/issues/167
>>
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to