On Sun, Apr 19, 2020 at 2:41 PM Ben Wilson via dev-security-policy < [email protected]> wrote:
> Dear MDSP community, > > As you are aware from past discussions on this list, there has been a > concern about the impact of COVID-19 on CA operations. COVID-19 continues > to impact certain areas of the world more severely than others. For > example, there has been a recent resurgence of COVID-19 in Japan.[1] > Globally, > COVID-19 has not leveled out.[2] > > Recently at least one CA has expressed concern about Action 3 of Mozilla's > January 2020 CA Communication [3] and enforcement of Section 5.2 of > Mozilla’s Root Store Policy, which provide that as of 1-July-2020, > end-entity certificates MUST include an EKU extension containing > KeyPurposeId(s) describing the intended usage(s) of the certificate, and > the EKU extension MUST NOT contain the KeyPurposeId anyExtendedKeyUsage. > See [4]. > (personal capacity) "At least one CA" is unusually non-transparent for Mozilla, when it comes to requests for changes to policy. I would generally expect that Mozilla would ask affected CAs to make their requests to the list to support a more robust discussion, and to not force Mozilla to act as an intermediary for CAs. > > Some CAs (and their customers) located in Japan, the U.S., and elsewhere > are dealing with new priorities that were not apparent back in January. > Some > have had to reorganize to deal with reduced staff and reallocate resources, > while other companies have modified their schedules to delay changes that > might cause instability.[5], [6] > > For some parties, the benefit of a 3-month delay (to 1-October-2020) in > enforcement of Mozilla’s EKU requirement may result in more flexibility, > resilience and secure operations. > > Several options are being considered: > > 1. Require that a CA request an extension, to be submitted on > Bugzilla and flagged as “covid-19”, similar to audit delays [7] AND > > a. Not require an incident report, OR > > b. Require an incident report > > 2. Grant a blanket 3-month extension and not require revocation of > certificates that do not comply > > 3. Replace July 1 with October 1 in section 5.2 of the Mozilla Root > Store Policy and publish a new version > > 4. Recognize broader exceptions for COVID-19 issues, e.g. enlarge the > scope of the delayed-audit approach to include other non-conformities/other > issues and not require immediate certificate revocations > > I look forward to hearing your opinions and suggestions. > > Sincerely yours, > > Ben Wilson > > Endnotes: > > [1] https://apnews.com/9140ddd7283d534d8464778d9c4bd92a > > [2] > > https://ourworldindata.org/coronavirus#what-is-the-total-number-of-confirmed-cases > > [3] > > https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a051J00003waNOW&QuestionId=Q00086,Q00087,Q00097 > > > [4] > > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#52-forbidden-and-required-practices > > [5] https://docs.microsoft.com/en-us/security/trusted-root/2020/april2020 > > [6] > https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html > > [7] https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- Eric Mill 617-314-0966 | konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
