On Sun, Apr 19, 2020, at 17:41, Ben Wilson via dev-security-policy wrote: > Recently at least one CA has expressed concern about Action 3 of Mozilla's > January 2020 CA Communication [3] and enforcement of Section 5.2 of > Mozilla’s Root Store Policy
Please have the CA post complete details of their concerns publicly on the list. Unlike other root programs, the Mozilla program operates publicly on this list and in Bugzilla, as guided by Principle 8 of the Mozilla Manifesto: "Transparent community-based processes promote participation, accountability and trust." > Some CAs (and their customers) located in Japan, the U.S., and elsewhere > are dealing with new priorities that were not apparent back in January. Some > have had to reorganize to deal with reduced staff and reallocate resources, > while other companies have modified their schedules to delay changes that > might cause instability.[5], [6] While this may be true generally, it's not clear how this applies to the specific case of the EKU requirement. It is important to hear from CAs that have not implemented this change yet (if any) with far more detail before jumping to the conclusion that changes need to be made to the requirement. Given that this is an extremely simple requirement codifying already widely implemented best practices that was known many weeks before the impact of COVID-19 was felt in most places, it's not immediately clear why it should be a problem to deploy with over two months left before the deadline. > For some parties, the benefit of a 3-month delay (to 1-October-2020) in > enforcement of Mozilla’s EKU requirement may result in more flexibility, > resilience and secure operations. It's not clear to me how changing the EKU field in a certificate profile would impact resilience or security. I think it would be more productive to have specific public discussions with CAs about challenges in implementing this change by the deadline instead of speculating about possible issues. > Several options are being considered: Given the complete lack of public discussion about this deadline being a problem, I don't think discussing options for a problem that hasn't been established as existing yet is productive. Additionally, as Ryan points out, most of these options are not compatible with how the program has operated to date. Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy