All, I've drafted a new email and survey that I plan to send to all CAs in the Mozilla program in early January. it focuses on compliance with the new (2.7) version of our Root Store Policy. I will appreciate your review and feedback on the draft: https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003waNOW
Note that two deadlines have been added to the communication: * Action 3 specifies that CAs must agree to update their CP/CPS, if needed to comply, prior to April 1, 2020. This is intended to prevent responses that we have found unacceptable in the past, e.g. waiting for an annual audit before updating the CP/CPS. * Action 5 requires CAs with failed Intermediate ALV results to publish a plan to correct these problems no later than Feb 15, 2020. Kathleen announced that we have begun validating audit letters for intermediate certificates back in October [1], and the requirement for audit statements to contain the SHA256 fingerprint of each root and intermediate certificate that was in scope of the audit dates back to 2017. CAs should have already taken action to resolve these issues, so this deadline is intended to convey the need for an immediate response. - Wayne [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/M7NGwCh14DI/ZPDMRvDzBQAJ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
