All,
Below are the summaries of the proposed resolutions of the issues slated to be addressed by version 2.7.1 of the Mozilla Root Store Policy. A full redline of the proposed changes can be seen here by clicking on the "Files changed" tab: https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.7.1 I intend to close public discussion on the proposed changes sometime next week. That will be followed by finalizing anything that needs to be addressed, Mozilla internal reviews, and a CA Communication and survey. Thanks for your contributions. Sincerely yours, Ben ------------------------------ #130 resolved - updates required to current audit versions References to updated audit criteria are found here: https://github.com/BenWilson-Mozilla/pkipolicy/commit/b62ae60d18625e3df3f78033f8b9b51be18379ff #139 resolved - Audits are required even if no longer issuing, until CA certificate is revoked, expired, or removed. See https://github.com/BenWilson-Mozilla/pkipolicy/commit/888dc139d196b02707d228583ac20564ddb27b35 #147 resolved - Require EV audits for certificates capable of issuing EV certificates – Clarify that EV audits are required for all intermediate certificates that are technically capable of issuing EV certificates, even when not currently issuing EV certificates. Resolved with hyperlink to: https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable #152 resolved - Add EV Audit exception for Policy Constraints – leaf certificates do not receive EV treatment unless signed by an intermediate CA with EV OID or anyPolicy OID, therefore they can be excluded from EV audits. Resolved with hyperlink to: https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable #153 resolved – Cradle-to-Grave Contiguous Audits – Specify the audits that are required from Root key generation ceremony until expiration or removal from Mozilla’s root store. Resolved with: “Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than annually from the time of CA key pair generation until the CA certificate is no longer trusted by Mozilla's root store or until all copies of the CA private key have been completely destroyed, as evidenced by a Qualified Auditor's key destruction report, whichever occurs sooner. This cradle-to-grave audit requirement applies equally to subordinate CAs as it does to root CAs. Successive period-of-time audits MUST be contiguous (no gaps).” https://github.com/BenWilson-Mozilla/pkipolicy/commit/c8bdb949020634b1f8fa31bc060229c600fe6f9d #154 closed/removed - Require Management Assertions to list Non-compliance – Add to MRSP section 2.4 “If being audited to the WebTrust criteria, the Management Assertion letter MUST include all known incidents that occurred or were still open/unresolved at any time during the audit period.” https://github.com/mozilla/pkipolicy/issues/154#issuecomment-793124154 #173 resolved - Strengthen requirement for newly included roots to meet all past and present requirements – Add language to MRSP section 7.1 so that it is clear that before being included CAs must comply and have complied with past and present Mozilla Root Store Policy and Baseline Requirements. Section “Before being included, CAs MUST provide evidence that their CA certificates fully comply with the current Mozilla Root Store Requirements and Baseline Requirements, and have continually, from the time of CA private key creation, complied with the then-current Mozilla Root Store Policy and Baseline Requirements.” https://github.com/BenWilson-Mozilla/pkipolicy/commit/0d72d9be5acca17ada34cf7e380741e27ee84e55 #186 resolved - Clarify MRSP section 5.3 Requirement to Disclose Self-signed Certificates – Clarify that self-signed certificates with the same key pair as an existing root meets MRSP section 5.3’s definition of an intermediate certificate that must be disclosed in the CCADB Resolved with: "Thus, the operator of a CA certificate trusted in Mozilla’s CA Certificate Program MUST disclose in the CCADB all non-technically constrained CA certificates they issue that chain up to that CA certificate trusted in Mozilla’s CA Certificate Program. This applies to all non-technically constrained CA certificates, including those that are self-signed, doppelgänger, reissued, or cross-signed." See https://github.com/BenWilson-Mozilla/pkipolicy/commit/5a3dd2e9d92ec689e08bf1cfa279121e2bb0478b #187 resolved - Require disclosure of incidents in Audit Reports – To MRSP section 3.1.4 “The publicly-available documentation relating to each audit MUST contain at least the following clearly-labelled information: “ add “11. all incidents (as defined in section 2.4) …” Resolved with: “11. all incidents (as defined in section 2.4) disclosed by the CA, discovered by the auditor, or reported by a third party, that, at any time during the audit period, occurred or were open in Bugzilla;” https://github.com/BenWilson-Mozilla/pkipolicy/commit/a69aa03fb92d1b0c3f74fd560dffefdeed934b45 And additional guidance to be provided here: https://wiki.mozilla.org/CA/Audit_Statements and/or here: https://wiki.mozilla.org/CA/Responding_To_An_Incident #192 resolved - Require information about auditor qualifications in the audit report – Require audit statements to be accompanied by documentation of the auditor’s qualifications demonstrating the auditor’s competence and experience. Resolved by adding to MRSP section 3.1.4: “name of the lead auditor and qualifications of the team performing the audit, as required by section 3.2;” and to MRSP section 3.2: “A Qualified Auditor MUST have relevant IT Security experience, or have audited a number of CAs, and be independent. Each Audit Report MUST be accompanied by documentation provided to Mozilla of the [audit team qualifications][Auditor-Qualifications] sufficient for Mozilla to determine the competence, experience, and independence of the auditor.” With additional guidance to be provided here: https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications See https://github.com/BenWilson-Mozilla/pkipolicy/commit/5254283d6ca76db8f1c012548c1d5376df37cdf4 #205 resolved - Require CAs to publish accepted methods for proving key compromise – Require CAs to disclose their acceptable methods for proving key compromise in section 4.9.12 of their CPS. “Section 4.9.12 of a CA's CP/CPS MUST clearly specify the methods that parties may use to demonstrate private key compromise.” https://github.com/BenWilson-Mozilla/pkipolicy/commit/719b834689949e869a0bd94f7bacb8dde0ccc9e4 #206 resolved - Limit re-use of domain name verification to 398 days – Amend item 5.1 in MRSP section 2.1 with “for server certificates issued on or after October 1, 2021, verify each dNSName or IPAddress in a SAN or commonName at an interval of 398 days or less;” https://github.com/BenWilson-Mozilla/pkipolicy/commit/5aeb11196f5bb175aa5cddd7c60a4f54223b8683 Mozilla Thread is here - https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/EcoNoi4bCQAJ Ballot language for the CA/B Forum is also being worked on here - https://github.com/BenWilson-Mozilla/servercert/tree/398-day-FQDN-validation / https://github.com/sleevi/cabforum-docs/compare/2020-11-30_Pandocification_without_SC39...BenWilson-Mozilla:398-day-FQDN-validation #207 resolved- Require audit statements to provide information about which CA Locations were and were not audited, and the extent to which they were (or were not) audited “12. the [CA locations that were or were not audited][Audited-Location];” https://github.com/BenWilson-Mozilla/pkipolicy/commit/89501d6017d2bf6242661abde9d375a0ca511b37 #211 closed/withdrawn - Align OCSP requirements in Mozilla's policy with the section 4.9.10 of the Baseline Requirements Withdrawn because MRSP requirements do not conflict with the Baseline Requirements and the MRSP provides independent requirements for OCSP services for SMIME certificates. #218 postponed - Clarify CRL requirements for End Entity Certificates – For CRLite, Mozilla would like to ensure that it has full lists of revoked certificates. If the CA uses partial CRLs, then require CAs to provide the URL location of their full and complete CRL in the CCADB. Postponing the following additional language to MRSP section 6.1, “A CA MUST ensure that it populates the CCADB with the appropriate "full CRL" in the [CCADB revocation information field pertaining to certificates issued by the CA][CCADB-Revocation] for each intermediate CA technically capable of issuing server certificates.” https://github.com/BenWilson-Mozilla/pkipolicy/commit/cab318a5b944974a6494bd0d57d214ff6898cefa #221 resolved - Wrong hyperlink for “material change” in MRSP section 8 Replace hyperlink with “there is a change in the CA's operations that could significantly affect a CA's ability to comply with the requirements of this Policy.” https://github.com/BenWilson-Mozilla/pkipolicy/commit/fbe04aa64f931940af967ed90ab98aa95789f057 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
