All, Please also consider the addition of GitHub Issue #283 <https://github.com/mozilla/pkipolicy/issues/283> to the list of issues that we would like to address in MRSP v. 3.0. Under Issue #283, we would edit section 7.1 of the MRSP to state that a CA operator filing for inclusion of a new root CA certificate must support at least one automated method of certificate issuance for each type of TLS certificate (EV, OV, DV, IV) that the CA issues. Thanks, Ben On Wednesday, October 2, 2024 at 11:44:10 AM UTC-6 Ben Wilson wrote:
> All, > > I have narrowed down the potential issues to be addressed in the version > 3.0 batch of changes needed in the Mozilla Root Store Policy (MRSP), as > indicated at https://github.com/mozilla/pkipolicy/labels/3.0. However, I > am open to any new suggestions. Here is the list of issues slated to be > addressed: > > *Issue #* > > *Description* > > *263 <https://github.com/mozilla/pkipolicy/issues/263>* > > MRSP § 3.3 - CPs/CPSes must follow the common outline of section 6 of RFC > 3647 and “contain no sections that are entirely blank, having no text or > subsections” > > *270 <https://github.com/mozilla/pkipolicy/issues/270> and 271 > <https://github.com/mozilla/pkipolicy/issues/271>* > > MRSP § 2.4 -Initial incident reports should be filed as soon as possible > but no later than 72 hours after discovery and full incident reports must > be posted within two weeks of the incident. This is meant to be consistent > with the CCADB Policy on incident reports- > https://www.ccadb.org/cas/incident-report. > > *275 <https://github.com/mozilla/pkipolicy/issues/275>* > > MRSP §§ 3 and 7.1 - Put greater emphasis on the need for period-of-time > audits. > > *276 <https://github.com/mozilla/pkipolicy/issues/276>* > > MRSP § 6 - Address delayed revocation of TLS server certificates (to what > extent does the policy need to address delayed revocation of S/MIME > certificates?) > > *278 <https://github.com/mozilla/pkipolicy/issues/278>* > > MRSP § 2 or 2.3 - Reference certificate linting requirements (a la the > CA/Browser Forum’s TLS Baseline Requirements) and does the policy need to > address linting of S/MIME certificates? See > https://github.com/cabforum/smime/issues/212) > > *279 <https://github.com/mozilla/pkipolicy/issues/279>* > > MRSP §§ 1-7 - Phase out dual-purpose (TLS / S/MIME) root CAs (Needs to > specify a cut-off date for when root certificate inclusion applications > cannot be for both trust bits) > > *281 <https://github.com/mozilla/pkipolicy/issues/281>* > > MRSP § 5.1 - Add P-521 as supported > > > > I will start tracking edits for these proposed changes in GitHub > <https://github.com/BenWilson-Mozilla/pkipolicy/tree/3.0> (no edits there > yet). > > Please let me know if other items should be added to this batch of changes. > > I will start a separate discussion here on each of the issues as listed > above, but until I do, feel free to make comments here or in GitHub. > > Thanks, > > Ben > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d650dae4-d8c0-4dd0-a3e5-3bebbf0b53cdn%40mozilla.org.
