Re: Policy 2.7 Proposal: Clarify Meaning of "Technically Constrained"

On Thu, Mar 28, 2019 at 7:14 PM Wayne Thayer wrote: > The confusion that motivated the proposal was with the inconsistent > definition of the term "technically constrained" in sections 1.1 and 5.3. > It was not directly related to the BRs. My proposed changes take into > account the definition in

Re: Policy 2.7 Proposal: Incident Reporting Updates

On Thu, Mar 28, 2019 at 7:42 PM Wayne Thayer wrote: > On Thu, Mar 28, 2019 at 4:11 PM Ryan Sleevi wrote: > >> On Thu, Mar 28, 2019 at 6:45 PM Wayne Thayer via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> **Incidents** >>> > When a CA fails to comply with any requ

Re: Policy 2.7 Proposal: Incident Reporting Updates

On Thu, Mar 28, 2019 at 4:11 PM Ryan Sleevi wrote: > > On Thu, Mar 28, 2019 at 6:45 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> We currently expect CAs to deliver incident reports whenever they fail to >> comply with our policy, but this is not a

Re: Policy 2.7 Proposal: Clarify Meaning of "Technically Constrained"

The confusion that motivated the proposal was with the inconsistent definition of the term "technically constrained" in sections 1.1 and 5.3. It was not directly related to the BRs. My proposed changes take into account the definition in the BRs and attempt to avoid inconsistencies in the context o

Re: Policy 2.7 Proposal: Incident Reporting Updates

On Thu, Mar 28, 2019 at 6:45 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > We currently expect CAs to deliver incident reports whenever they fail to > comply with our policy, but this is not a requirement of our policy. There > is no obvious place to add

Re: Policy 2.7 Proposal: Clarify Meaning of "Technically Constrained"

On Thu, Mar 28, 2019 at 4:53 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Our current Root Store policy assigns two different meanings to the term > "technically constrained": > * in sections 1.1 and 3.1, it means 'limited by EKU' > * in section 5.3 it

Policy 2.7 Proposal: Incident Reporting Updates

We currently expect CAs to deliver incident reports whenever they fail to comply with our policy, but this is not a requirement of our policy. There is no obvious place to add this in the existing policy, so I propose creating a new top-level section that reads as follows: **Incidents** > When a C

Policy 2.7 Proposal: Clarify Meaning of "Technically Constrained"

Our current Root Store policy assigns two different meanings to the term "technically constrained": * in sections 1.1 and 3.1, it means 'limited by EKU' * in section 5.3 it means 'limited by EKU and name constraints' The BRs already define a "Technically Constrained Subordinate CA Certificate" as:

Intermediate CA Certificate Disclosures

I'd like to remind CAs of Mozilla's disclosure requirement for unconstrained intermediate CA certificates: The CA with a certificate included in Mozilla’s root program MUST disclose > this information within a week of certificate creation, and before any such > subordinate CA is allowed to issue c