Hello, I've a question closely related to this. I'd appreciate guidance. I'm refactoring our CP & CPS documents considering that a CA can issue different types of certificates, so there would be multiple CP and one CPS.
My strategy is that if the stipulation is defined in one of the document (CP or CPS), then the other document can refer to the other (CPS or CP). So, for example, as the CPS will support/implement different CP, for certain aspects (i.e. suspension), I'd like to refer to the CP as source, with the text "As stipulated in the appropriate CP". Like wise, in certain cases the stipulation could be defined in the CPS, so the CP would have the text "As stipulated in the CPS". This means that someone evaluating the practices for SSL certificates would have to consider jointly the CP of SSL certificates and the CPS, while someone evaluating personal certificates for email should consider the CP for S/MIME certificates and the CPS. I used this in the past while writing some docs for customers... Would this be cross-referencing still acceptable? Thanks, Pedro El viernes, 12 de octubre de 2018, 2:27:49 (UTC+2), Kathleen Wilson escribió: > Based on the input into this discussion so far, I propose to add the > following section to the Required part of this wiki page: > https://wiki.mozilla.org/CA/Required_or_Recommended_Practices > > We can consider adding text about this directly to Mozilla's Root Store > Policy later. (I'll file the request/issue in github.) > > -- Proposed Text -- > Section Heading: CP/CPS Structured According to RFC 3647 > > CP/CPS documents must be structured according to RFC 3647. This > requirement is stated in section 2.2 of the CA/Browser Forum Baseline > Requirements, with the effective of 31 May 2018. Further, CP/CPS > documents should include every component and subcomponent, and the > placement of information should be aligned with the BRs; e.g. domain > validation practices should be documented in section 3.2.2.4 of the CA’s > CP/CPS. > > The words "No Stipulation" mean that the particular document imposes no > requirements related to that section. > > Any CPS that falls within the scope of Mozilla’s program must not use > the words “No stipulation” unless the corresponding section in the > CA/Browser Forum Baseline Requirements state “No stipulation”, “Not > applicable”, or is blank. The words “Not applicable” are acceptable to > indicate that the CA’s policies forbid the practice that is the title of > the section. Language similar to “We do not perform <subject of the > section>” is preferred. If a full description of a section is repeated > elsewhere in the document, language similar to “Refer to Section 1.2.3” > is preferred. > > Examples: > - If your CA does not allow a particular domain validation method to be > used, then the CP or CPS should say that, e.g. "This method of domain > validation is not used". > - The BRs do not allow certificate suspension, so the CA’s CPS must > state that certificate suspension is not allowed, and then the other > sections related to suspension should say “Not applicable”. > - If your CA does not issue SSL certs containing IP addresses, then > section 3.2.2.5, ‘Authentication for an IP Address’ in your CP or CPS > should say that such certificate issuance is not allowed; e.g. “No IP > address certificates are issued under this CPS.” > ---- > > I will appreciate your constructive feedback on this. > > Thanks, > Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
