Confirmed users, Administrators
5,526
edits
CA/Root Store Policy Archive: Difference between revisions
m
→To Be Discussed
| Line 81: | Line 81: | ||
# [https://www.cabforum.org/documents.html CA/Browser Forum Baseline Requirements] version 1.1.6 added a requirement regarding technically constraining subordinate CA certificates, so item #9 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] may refer to the BR for details about how to technically constrain a subordinate CA certificate that can sign SSL certs. | # [https://www.cabforum.org/documents.html CA/Browser Forum Baseline Requirements] version 1.1.6 added a requirement regarding technically constraining subordinate CA certificates, so item #9 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] may refer to the BR for details about how to technically constrain a subordinate CA certificate that can sign SSL certs. | ||
# Make the timeline clear about when the audit statements and disclosure has to happen for new audited/disclosed subCAs. According to the Baseline Requirements section 17 and 17.4, pre-issuance Readiness Audit is to be done before the SubCA begins issuing publicly-trusted certs. Then a complete audit is due within 90 days of issuing the first publicly-trusted cert. | # Make the timeline clear about when the audit statements and disclosure has to happen for new audited/disclosed subCAs. According to the Baseline Requirements section 17 and 17.4, pre-issuance Readiness Audit is to be done before the SubCA begins issuing publicly-trusted certs. Then a complete audit is due within 90 days of issuing the first publicly-trusted cert. | ||
# In item #8 of the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ Maintenance Policy] | # In item #8 of the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ Maintenance Policy] recommend that CAs avoid SHA-512 and P-521, especially in their CA certificates. This is to ensure interoperability, as SHA-512 and (especially) P-521 are less well-supported than the other algorithms. (Note: On the page you linked to, P-521 is incorrectly spelled "P-512".) | ||
#* | #* Update reference to SHA-512 -- {{Bug|1129083}} | ||
#* | #* Update reference to P-512 -- {{Bug|1129077}} | ||
# Make it clearer that producing [https://mozillacaprogram.secure.force.com/Communications/CommunicationActionOptionResponse?CommunicationId=a04o000000M89RCAAZ&Question=ACTION%20%234:%20Workarounds%20were%20implemented syntactically valid certificates] is '''required'''. In particular, I think that Mozilla should audit a CA's recently-issued certificates and automatically reject a CA's request for inclusion or membership renewal if there are a non-trivial number of certificates that have the problems mentioned in [[SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix|Mozilla's list of Things for CAs to Fix]] | # Make it clearer that producing [https://mozillacaprogram.secure.force.com/Communications/CommunicationActionOptionResponse?CommunicationId=a04o000000M89RCAAZ&Question=ACTION%20%234:%20Workarounds%20were%20implemented syntactically valid certificates] is '''required'''. In particular, I think that Mozilla should audit a CA's recently-issued certificates and automatically reject a CA's request for inclusion or membership renewal if there are a non-trivial number of certificates that have the problems mentioned in [[SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix|Mozilla's list of Things for CAs to Fix]] | ||
# When an OCSP response signing certificate expires before the OCSP responses signed by the certificate expire, multiple websites break, particularly sites that use OCSP stapling. Make it a requirement that every OCSP response must have a nextUpdate field that is before or equal to the notAfter date of the certificate that signs it. This should be easy for CAs to comply with. | # When an OCSP response signing certificate expires before the OCSP responses signed by the certificate expire, multiple websites break, particularly sites that use OCSP stapling. Make it a requirement that every OCSP response must have a nextUpdate field that is before or equal to the notAfter date of the certificate that signs it. This should be easy for CAs to comply with. | ||