Mozilla Root Store Policy MRSP 2.7.1 Update
All, Version 2.7.1 of the Mozilla Root Store Policy (MRSP) is now saved in Mozilla's GitHub repository with an effective date of May 1, 2021. See https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md Here is the redline: https://github.com/mozilla/pkipolicy/pull/223/files Soon we will publish it to https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ . We are drafting a CA Communication and Survey to send out to CAs in the root program within the next week. Thanks, Ben ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Providing Auditor Qualifications (was Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications)
All, Here, for your review and comment, is the final version of the wiki page guidance on providing auditor qualifications. I appreciate the input we received from ETSI and WebTrust audit groups on this current version. https://wiki.mozilla.org/CA/Audit_Statements#Providing_Auditor_Qualifications Please also let me know if you have any questions. Thanks, Ben On Fri, Mar 26, 2021 at 3:20 PM Ben Wilson wrote: > All, > As discussed previously, here is a draft amendment to the Audit Statements > wiki page for your review and comment: > > https://wiki.mozilla.org/CA/Audit_Statements#Providing_Auditor_Qualifications > Sincerely yours, > Ben > > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Prioritization of Root CA Inclusion Requests
For future reference, this is now posted here: https://wiki.mozilla.org/CA/Prioritization. On Wed, Mar 24, 2021 at 4:49 PM Ben Wilson wrote: > All, > > I'd like to have you review the prioritization proposal below, which will > help us as we process CA inclusion requests. ( > https://wiki.mozilla.org/CA/Application_Process) > > Thanks, > > Ben > > --- > > Prioritization of CA Root Inclusion Requests will be based on the factors > described below and use the P1-P5 Priority categories available in the > Bugzilla system with our own priority categorization for the CA root > inclusion program. > >- > >*P1 = High* (Applicant has good compliance history and is replacing an >already-included root) > > >- > >*P2 = Medium High* (Applicant is well-prepared and responsive, with a >good history of policy compliance) > > >- > >*P3 = Medium *(Applicant’s request and responsiveness are “average”, >but demonstrates compliance with policies) > > >- > >*P4 = Medium Low* (Applicant’s responsiveness and compliance history >are “average”) > > >- > >*P5 = Low *(Applicant has much work to do, is slow to respond to >requests, or has not demonstrated full compliance with policies) > > Factors assessed in setting the above-referenced priorities, in order of > importance, are: > > 1 - Alignment with Mozilla Manifesto - > https://www.mozilla.org/en-US/about/manifesto/ > > 2 - Compliance (Based on the compliance history of existing CA operators, > and their responsiveness to issues) > https://wiki.mozilla.org/CA/Incident_Dashboard > > 3 - Replacing Existing (Existing CA operators that are replacing an > already-included root certificate) > https://wiki.mozilla.org/CA/Certificate_Change_Process > > 4 - Responsiveness/Complete and Timely (Applicant provides clear, > complete, concise and timely responses to questions, comments, or concerns > about their root inclusion request) > > 5 - Single-Purpose, Separate Roots (Hierarchies that are separated by > root for a particular purpose) > https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CA_Hierarchy > > > 6 - CA Hierarchy Control (CA hierarchies comprised solely of CAs fully > controlled by the applicant) > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#53-intermediate-certificates > > > 7 - Completeness (Applicant completes all information in CCADB) > https://wiki.mozilla.org/CA/Information_Checklist#Create_a_Root_Inclusion_Case > > 8 - CPS Quality (Initially provided CP/CPS documents fully meet Mozilla’s > Root Store Policy and the CAB Forum Baseline Requirements) > https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Publicly_Available_CP_and_CPS > > > 9 - Updating Trust Bits or EV-Enablement of Already-Included Root > Certificate (Existing CAs that are only requesting EV enablement or > adding a trust bit to an already-included root certificate) > https://wiki.mozilla.org/CA/Certificate_Change_Process#Enable_EV > > 10 - Ready (Detailed CP/CPS Review is complete and CA is “Ready for > Discussion”) > https://wiki.mozilla.org/CA/Application_Verification#Detailed_Review > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Job/Job Posting: Chrome Root Program
[Posting in a Google hat] Several years ago [1], Kathleen opened a discussion about whether it would be OK to post job opportunities here. While the discussion didn't come to a firm conclusion, and there were those both for and against such postings, I reached out to Ben and Kathleen to check that it would be OK before posting this, and they shared that they were OK with it. Emily (CC'd) was originally going to post this, but in light of [1], we thought it might be better if I did. If you have any questions, you can follow-up with Emily directly, and I'm always happy to connect you with her, in the event you use a mail/newsgroup client that hides CCs here for the message. In case it's not obvious, this is the team I'm on here at Google. Given the Chrome Root Program's goal [2] of continuing public collaboration here on m.d.s.p., hopefully folks see this as directly relevant to this list :) --- Chrome is hiring software engineers [3] and a TPM/PgM [4] interested in security, PKI, applied crypto, and related topics in the Washington D.C. area. These new hires will help build out Chrome's root program: managing trust decisions in CAs, building and maintaining Chrome's certificate verification and TLS stack, and building tooling and measurement software for guiding policy decisions. This work is part of Chrome's Trusty Transport team, with the full stack of HTTPS in scope, from BoringSSL to TLS to the UI/UX of connection security. More broadly, the team is part of the Chrome Trust and Safety org, which is growing the Washington D.C. office rapidly this year, so there will be plenty of like-minded Chromies around. NOTE: The min qualifications listed in the software engineer posting are exaggerated. We're hiring both senior and junior SWEs, so please apply if you're interested, even if you don't meet the minimum qualifications listed. --- [1] https://groups.google.com/g/mozilla.dev.security.policy/c/dn0qEZrxbQA/m/h9ojtox6AgAJ [2] https://groups.google.com/g/mozilla.dev.security.policy/c/3Q36J4flnQs/m/VyWFiVwrBQAJ [3] https://careers.google.com/jobs/results/109182492218401478/ [4] https://careers.google.com/jobs/results/121728729358443206/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CCADB Update to Audit and Root Inclusion Cases March 25-29
All, The CCADB update has been completed, and the "UNDER CONSTRUCTION" notice will be removed today. There is still some cleanup that we will be doing, but you may proceed with using Audit Cases and Root Inclusion Cases now. Please let me know if you run into any problems with the CCADB. Thanks, Kathleen On 3/25/21 11:22 AM, Kathleen Wilson wrote: All, We will be applying updates to CCADB Audit Cases and Root Inclusion Cases starting tonight, March 25, and expected to be completed the afternoon of March 29. We will post the following message on the CCADB home page while the updates are in progress. -- UNDER CONSTRUCTION: Audit Cases and Root Inclusion Cases are being updated March 25 to March 29. Please avoid using them until this update had been completed. This message will be removed when the changes are done. -- The goal of these updates is to extend Root Inclusion Cases to be usable by other root stores. After this update, both Apple and Mozilla will be able to use Root Inclusion Cases. There is a significant amount of code that is common to Audit Cases and Root Inclusion Cases, so Audit Cases will also be impacted during the update. Please let me know if you have any questions about this, or run into other problems in the CCADB. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
