All, I am considering closing the following delayed revocation Bugzilla incidents later this week (Friday, 7-Feb-2025), as listed in meta Bug 1911183 <https://bugzilla.mozilla.org/show_bug.cgi?id=1911183>:
1872738 <https://bugzilla.mozilla.org/show_bug.cgi?id=1872738>, 1877388 <https://bugzilla.mozilla.org/show_bug.cgi?id=1877388>, 1884568 <https://bugzilla.mozilla.org/show_bug.cgi?id=1884568>, 1885568 <https://bugzilla.mozilla.org/show_bug.cgi?id=1885568>, 1886110 <https://bugzilla.mozilla.org/show_bug.cgi?id=1886110>, 1886532 <https://bugzilla.mozilla.org/show_bug.cgi?id=1886532>, 1886665 <https://bugzilla.mozilla.org/show_bug.cgi?id=1886665>, 1887110 <https://bugzilla.mozilla.org/show_bug.cgi?id=1887110>, 1887888 <https://bugzilla.mozilla.org/show_bug.cgi?id=1887888>, 1888882 <https://bugzilla.mozilla.org/show_bug.cgi?id=1888882>, 1889062 <https://bugzilla.mozilla.org/show_bug.cgi?id=1889062>, 1890685 <https://bugzilla.mozilla.org/show_bug.cgi?id=1890685>, 1891331 <https://bugzilla.mozilla.org/show_bug.cgi?id=1891331>, 1892419 <https://bugzilla.mozilla.org/show_bug.cgi?id=1892419>, 1896053 <https://bugzilla.mozilla.org/show_bug.cgi?id=1896053>, 1896553 <https://bugzilla.mozilla.org/show_bug.cgi?id=1896553>, 1898848 <https://bugzilla.mozilla.org/show_bug.cgi?id=1898848>, 1903066 <https://bugzilla.mozilla.org/show_bug.cgi?id=1903066>, 1910805 <https://bugzilla.mozilla.org/show_bug.cgi?id=1910805>, 1916478 <https://bugzilla.mozilla.org/show_bug.cgi?id=1916478>, and 1924385 <https://bugzilla.mozilla.org/show_bug.cgi?id=1924385>, *provided that the CA operator has completed its stated Action Items and filed a Closure Summary*. My reasoning is as follows: I kept these bugs open while we navigated towards a solution for handling delayed revocations going forward. I believe that the new language in Mozilla Root Store Policy (MRSP) 3.0, effective March 1, 2025, introduces significant measures to improve compliance with revocation requirements and enhance delayed revocation incident reporting. Under MRSP section 6.1.3, CA operators will be explicitly required to engage in proactive subscriber communication, more specific contractual provisions, and mass revocation preparedness to ensure timely certificate revocation. Additionally, CAs must undergo third-party assessments to validate their readiness for large-scale revocations and that they have documented the outcomes of the testing of their mass revocation plans. MRSP section 2.4 incorporates the updated incident reporting requirements of the CCADB, and mandates that CAs provide detailed and substantiated justifications in incident reports, explaining delays and impacts on third parties. It notes that Mozilla does not have any exceptions for delayed revocation, and that repeated unjustified delays will result in heightened scrutiny and potential removal from the Mozilla Root Store. Also, MRSP section 7.1 will require that new TLS-issuing root certificates have at least the ability for automated domain control validation, certificate issuance, and retrieval. This ensures that certificate management processes are efficient, scalable, and less prone to human error, aligning with modern security best practices. CAs and stakeholders should recognize these changes only as first, yet important, steps in addressing delayed revocation and reporting. Thoughts? Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab0RUZvDvRxWckzthRLaV0gJ%2BubCWFpnCAsC6SSc8UTVQ%40mail.gmail.com.
