Re: Policy 2.7 Proposal: Ban "No Stipulation", Blank, and Missing CP/CPS sections
Having received no new comments, I'll plan to include this change in policy version 2.7. - Wayne On Tue, Apr 16, 2019 at 3:40 PM Wayne Thayer wrote: > I went ahead and added this change to the 2.7 branch: > https://github.com/mozilla/pkipolicy/commit/1e7f4edb97c4497e2e04442797ebc670e9d80b44 > > I removed the phrase "In addition to existing rules placed on the > structure of CPs and CPSes that comply with the CA/Browser Forum Baseline > Requirements" because we have S/MIME-only CP/CPS' in our program that don't > have to comply with the BRs. > > Given that this is already a required practice, I don't expect there to be > any concerns from CAs with the compliance date. If there are any CAs that > will have difficulty with this date, please explain why and what a more > reasonable date would be. > > On Mon, Apr 1, 2019 at 5:18 PM Wayne Thayer wrote: > >> In October we discussed the use of "No Stipulation", empty sections, and >> blank sections in CP/CPSes. [1] The result was an update to the "Required >> Practices" wiki page. [2] I propose moving this into policy by adding the >> following paragraph to the bottom of section 3.3 "CPs and CPSes" >> >> In addition to existing rules placed on the structure of CPs and CPSes >>> that comply with the CA/Browser Forum Baseline Requirements, and effective >>> for versions dated after 30-September, 2019, CPs and CPSes MUST be >>> structured according to RFC 3647 and MUST: >>> * Include at least every section and subsection defined in RFC 3647; and, >>> * Only use the words "*No Stipulation*" to mean that the particular >>> document imposes no requirements related to that section; and, >>> * Contain no sections that are blank and have no subsections. >>> >> >> This is https://github.com/mozilla/pkipolicy/issues/158 >> >> I will appreciate everyone's input on this proposal. >> >> - Wayne >> >> [1] >> https://groups.google.com/d/msg/mozilla.dev.security.policy/Cth8n4mxxmQ/oWV_DgpNBAAJ >> [2] >> https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Structured_According_to_RFC_3647 >> > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.7 Proposal: Incident Reporting Updates
On Tue, Apr 16, 2019 at 12:02 PM Wayne Thayer wrote: > > I've drafted a specific proposal for everyone's consideration: > > > https://github.com/mozilla/pkipolicy/commit/5f1b0961fa66f824adca67d7021cd9c9c62a88fb > > Having received no new comments on this proposal, I'll consider this issue closed and plan to include it in policy version 2.7. - Wayne ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.7 Proposal: Require EKUs in End-Entity Certificates
On Fri, Apr 19, 2019 at 7:12 PM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Fri, Apr 19, 2019 at 01:22:59PM -0700, Wayne Thayer via > dev-security-policy wrote: > > Okay, then I propose adding the following to section 5.2 "Forbidden and > > Required Practices": > > > > Effective for certificates issued on or after April 1, 2020, end-entity > > certificates MUST include an EKU extension containing KeyPurposeId(s) > > describing the intended usage(s) of the certificate, and the EKU > extension > > MUST NOT contain the KeyPurposeId anyExtendedKeyUsage. > > > > This does not imply that there will be technical enforcement, but also > > doesn't rule it out. > > > > I will appreciate everyone's feedback on this proposal. > > If I may pick the absolute smallest of nits, is it "better" if the > restriction be on certificate notBefore, rather than "issued on"? Whilst > that leaves certificates open to backdating, it does make it easier to > identify misissuance. Otherwise there could be arguments made that the > certificate was *actually* issued before the effective date, even though > there is no evidence that that is the case. > > Thanks Matt, I can see how that change makes it easier to check for compliance. I've added my proposal, updated per Matt's suggestion, to the 2.7 branch: https://github.com/mozilla/pkipolicy/commit/842c9bd53e43904b160e79cb199018252fb60834 Unless there are further comments, I'll consider this issue resolved. - Wayne ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy