I noticed that the MRSP section 3.3 states that CPs and CPSes must be made available to Mozilla under a CC-BY -compatible licence, or are considered as licenced under CC-BY-SA v4 to Mozilla and the public when this action has not been taken (3.3 requirement 3). 1.) Does Mozilla re-publish the latest disclosed CPs and CPSes in a central repository? Or, is there a place I can find these documents other than the certificate issuer's website?
This same section 3.3 also reads that a change in the CPS must be added to a changelog via a dated changelog entry. 2.) Is there a guideline on where to find such changelog? The BR does not seem to have any guidance on this, and "... CAs MUST indicate that this has happened by incrementing the version number and adding a dated changelog entry, ..." is the only mention of such changelog. Question 1 arose when I compared the Sectigo CPS with that of LetsEncrypt: Sectigo has an 'all rights reserved' copyright notice on their latest CPS 5.1 [^2], while LetsEncrypt publicly licences it under the CC-BY v4 [^3] As an example interpretation on how my question 2 arose; Sectigo has an archive of CPSes[^4], but these CPSes not seem to have dated changelog entry, not in the archive list, nor in the CPS itself (there is no changelog in the CPS), but do have an 'effective from' date. LetsEncrypt hosts its CPS repository with versions and dates[^5], and has a datestamped changelog in the CPS[^6] - Matthias van de Meent [^1] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#33-cps-and-cpses [^2] https://sectigo.com/uploads/audio/Sectigo-CPS-v5.1.pdf [^3] https://letsencrypt.org/documents/isrg-cps-v2.5/#1-1-overview [^4] https://sectigo.com/certificate-practice-statement-archive [^5] https://letsencrypt.org/repository/#isrg-certification-practice-statement [^6] https://letsencrypt.org/documents/isrg-cps-v2.5/#1-2-document-name-and-identification _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
