On 15/10/2018 20:01, Kathleen Wilson wrote:
I have added the following section to the Required Practices wiki page:
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#BR_Commitment_to_Comply_statement_in_CP.2FCPS
I will continue to appreciate feedback on this update.
Thanks,
Kathleen
Upon closer look, it appears that most of the "No Stipulation" entries
in the BRs are things for which Mozilla would probably want explicit
statements, even though there are no specific BR requirements.
For example:
1.5.1 Organization Administering this document (CP/CPS)
1.5.3 Person Determining CPS suitability for the Policy
1.5.4 CPS Approval procedures
4.3.2 (Mostly relevant to customer relationship)
4.4.1 (Only relevant to customer relationship)
4.4.2 Publication of the certificate by the CA
4.4.3 Notification of certificate issuance by the CA to other entities
(This would cover CT or other mechanisms suitable for CRLset
generation by Mozilla).
4.5.2 Relying party public key and certificate usage
(This would typically cover disclaiming responsibility if users turn
off revocation checking or interpret the certificate as meaning
something other than a proof of identity of the private key holder).
4.6 CERTIFICATE RENEWAL
This has been the subject of many discussions about appropriateness of
CA procedures.
Except:
4.6.4 (Mostly relevant to customer relationship)
4.6.5 (Only relevant to customer relationship)
4.7 CERTIFICATE RE-KEY
This has been the subject of many discussions about appropriateness of
CA procedures.
Except:
4.7.4 (Mostly relevant to customer relationship)
4.7.5 (Only relevant to customer relationship)
4.8 CERTIFICATE MODIFICATION
This has much relevance to situations of later discoveries of
discrepancies of changes in circumstances. It is a recurring theme in
discussions about revoking such certificates.
Except:
4.8.4 (Mostly relevant to customer relationship)
4.8.5 (Only relevant to customer relationship)
4.9.4 Revocation Request Grace Period
4.9.6 Revocation Checking Requirements for Relying Parties
This interacts closely with the features implemented in Mozilla products.
4.9.8 Maximum Latency for CRLs
4.10.3 Optional Features (for certificate status services)
This would for example indicate if the OCSP servers provide ways to
distinguish OCSP status for a real certificate and a fake certificate
with the same serial number. If there are OCSP privacy features etc.
4.11 (Mostly relevant to customer relationship)
4.12 Key escrow and recovery policy and practices
This is the subject of a Mozilla requirement (not to provide such).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
