All,
In response to survey feedback on the proposed requirements in *section 6.1.3* for mass revocation planning and testing, I have developed a draft *Mass Revocation Incident Preparation and Testing Plan (MRIP&TP)* template. Since this is *not a Mozilla recommendation*, but rather a resource that may help CAs in meeting upcoming requirements, I’m wondering how best to share it. Would it be useful to post it to the list for discussion, or would another approach be preferable? I’d appreciate any thoughts on this. Thanks, Ben On Sunday, February 16, 2025 at 2:18:18 PM UTC-7 Ben Wilson wrote: > All, > > I have reviewed many of the CA operator survey responses, and I am working > to present them in a structured and insightful way. I am also preparing an > FAQ document that will provide further implementation and compliance > guidance for CA operators to address many of the questions and concerns > raised in their responses to the survey questions. > > To facilitate the display of recent changes to the draft of MRSP 3.0, I > have created an additional branch in GitHub—*Updates-from-Survey-Responses > <https://github.com/mozilla/pkipolicy/tree/Updates-from-Survey-Responses>*—which > > reflects proposed revisions based on the feedback received. And, for a > direct comparison between the language in the current MRSP 3.0 branch and > this new GitHub branch, see: *Comparison of Branches > <https://github.com/mozilla/pkipolicy/compare/695d6c318875a912a4a5ce3fa0d0f6aa1ca5f0d6%E2%80%A6a1a8afe442844db6b9048b4c6bc750ca49c43216>* > . > > One other key step that I’m working on is to prepare MRSP 3.0 for > publication on the Mozilla website, pending legal review. We are on track > for this, and I want to reaffirm our commitment to the March 1, 2025, > effective date. > > To ensure everyone is aligned with upcoming compliance milestones, here’s > a brief overview of key dates (some of which are included in the new GitHub > branch): > > - *January 1, 2025*: Newly included root CA certificates cannot be > dual-purpose (i.e. enabled for both website authentication and email > protection). Also, any new root CA certificates with the websites trust > bit > enabled must demonstrate automated issuance capabilities. > - *March 1, 2025*: This is the official compliance date when new > requirements take effect, unless otherwise specified. > - *Annual audit periods beginning after March 1, 2025*: CA operators > must begin identifying “parked CA keys” in their annual audit reports. > - *Annual audit periods beginning after June 1, 2025*: A CA operator > capable of issuing trusted TLS certificates must obtain a third party > assessment of the maintenance and testing of its mass revocation plan. > - *September 1, 2025*: All CA operators must have a mass revocation > plan in place and begin the process to have it tested and evaluated (in > accordance with the previous bullet). > - *April 15, 2026*: Any CA operating a dual-purpose root (with both > websites and email trust bits enabled) must submit a transition plan to > Mozilla. > - *December 31, 2028*: The final transition deadline, by which no root > CA certificate will have both trust bits enabled. > > If you have any questions or need further clarification, please don't > hesitate to reach out. > > Thanks, > > Ben > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/51fb74a2-cce9-426f-9383-7b0cedfcc479n%40mozilla.org.
