I will close discussion on this matter next Friday, 19-Nov-2021. Right now, I am leaning toward adopting the language presented below.
On Tue, Nov 2, 2021 at 10:41 AM Ben Wilson <bwil...@mozilla.com> wrote: > All, > > This email introduces another issue selected to be addressed in the next > version of the Mozilla Root Store Policy (MSRP), version 2.8, to be > published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) > > This is Github Issue #229 > <https://github.com/mozilla/pkipolicy/issues/229>. > > This issue was previously discussed here: > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XsVpyOGlagE/m/xw8JGJYZBAAJ > . > > The proposal is that by July 1, 2022, CAs would have to report all > technically constrained CAs in the CCADB. > > Currently, MRSP § 5.3 > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#53-intermediate-certificates> > says, > "All certificates that are capable of being used to issue new certificates > and that directly or transitively chain to a CA certificate included in > Mozilla’s CA Certificate Program MUST be operated in accordance with this > policy and MUST either be technically constrained or be publicly disclosed > and audited. > ... > Thus, the operator of a CA certificate trusted in Mozilla’s CA Certificate > Program MUST disclose in the CCADB all non-technically constrained CA > certificates they issue that chain up to that CA certificate trusted in > Mozilla’s CA Certificate Program. This applies to all non-technically > constrained CA certificates, including those that share the same key pair > whether they are self-signed, doppelgänger, reissued, cross-signed, or > other roots." > > MRSP§ 5.3.2 > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#532-publicly-disclosed-and-audited> > would require a slight modification, as well. It states, "All certificates > that are capable of being used to issue new certificates, that are not > technically constrained, and that directly or transitively chain to a > certificate included in Mozilla’s root program: ... MUST be publicly > disclosed in the CCADB by the CA that has their certificate included in > Mozilla’s root program." > > I have made an attempt to address this further with some commits in my > GitHub repository: > > > https://github.com/mozilla/pkipolicy/compare/1829373903c8d58246c781ee11ea77d6d386985a... > e6550dba22ed38ac6bdd33677a8bf3d2f00e75de > > Among other changes, these commits: > 1. Move the 4th paragraph in MRSP § 5.3 to the first paragraph of § > 5.3.2. > 2. Move content from the second bullet in MRSP § 5.3.2 to the first > paragraph and eliminate the bulleted list. > 3. Delete the sentence, "All disclosure MUST be made freely available and > without additional requirements, including, but not limited to, > registration, legal agreements, or restrictions on redistribution of the > certificates in whole or in part" because it no longer makes sense in the > context of CA certificate disclosure. (Similar language could be added to MRSP > §3.1.4 > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#314-public-audit-information>, > but it already requires publicly available audit documentation.) > > Please provide any additional comments you may have regarding the > requirement that CAs disclose all subordinate CAs, regardless of whether > they are technically constrained. > > Thanks, > > Ben Wilson > Mozilla Root Program Manager > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab%2BphjGz4XgOpeL%3DibEyP1D-EPT4P2_FTWhcoShyHX0mA%40mail.gmail.com.