Based on the survey results, we (Ben and I) have recommended the
following updates to the Browser Alignment Ballot. (currently in draft
form here: https://github.com/sleevi/cabforum-docs/pull/10)
1) For the following changes proposed in the ballot, we have recommended
that the effective date be on September 30, 2020.
- OCSP requirements (OCSP must be supported, validity interval for OCSP
response more explicitly defined, revocationReason required)
- CRL updates (reasonCode required)
-- The change regarding the OCSP and CRL updates is already in progress
here:
https://github.com/sleevi/cabforum-docs/commit/1e59ed6bc3f1411b28ecafc3ee41b293903cd755
- Certificate Policies (MUST contain at least one CA/Browser Forum
defined-policy OID.)
-- This change is already in progress here:
https://github.com/sleevi/cabforum-docs/commit/80ea02a31b29d614b843d119a6c022652840c806
- Name Encoding Rules (Byte-for-byte Identical Issuer and Subject
Distinguished Names)
-- This change is already in progress here:
https://github.com/sleevi/cabforum-docs/commit/91125b8fbc1b56abea7783f63b915ba09ca799de
2) Restrict the second part of the Name Encoding Rules (Byte-for-byte
Identical Issuer and Subject Distinguished Names) changes to subCAs.
-- This change is already in progress here:
https://github.com/sleevi/cabforum-docs/commit/91125b8fbc1b56abea7783f63b915ba09ca799de
3) (No Change, just explanation) Mozilla’s approach to adding the
certificate validity period reduction to our root store policy would
normally have included a public discussion in
mozilla.dev.security.policy. In the survey, CAs all indicated that they
will be following this new requirement anyways for compatibility
reasons. So we are OK with it remaining in this ballot.
Any further discussion about the Browser Alignment Ballot should
continue in the CA/Browser Forum Server Certificate Working Group or in
GitHub.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
