Confirmed users, Administrators
5,526
edits
CA/Root Store Policy Archive: Difference between revisions
m
→Consider for Version 2.3
| Line 73: | Line 73: | ||
* Update item #12 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] to refer to a more recent version of the [https://www.cabforum.org/documents.html CA/Browser Forum Baseline Requirements]. | * Update item #12 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] to refer to a more recent version of the [https://www.cabforum.org/documents.html CA/Browser Forum Baseline Requirements]. | ||
* [https://www.cabforum.org/documents.html CA/Browser Forum Baseline Requirements] version 1.1.6 added a requirement regarding technically constraining subordinate CA certificates, so item #9 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] may refer to the BR for details about how to technically constrain a subordinate CA certificate that can sign SSL certs. | * [https://www.cabforum.org/documents.html CA/Browser Forum Baseline Requirements] version 1.1.6 added a requirement regarding technically constraining subordinate CA certificates, so item #9 of the [http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html Inclusion Policy] may refer to the BR for details about how to technically constrain a subordinate CA certificate that can sign SSL certs. | ||
* In the first bullet point of item #9 of the [ | * In the first bullet point of item #9 of the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ Maintenance Policy] remove the "after June 30, 2011" and add MD2 and MD4. | ||
* In the second bullet point of item #9 of the [ | * In the second bullet point of item #9 of the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ Maintenance Policy] match [[CA:MD5and1024 | CA:MD5and1024]]; i.e. that the requirement is for SSL and Code Signing certs. | ||
''These items have been considered and discussed in mozilla.dev.security.policy, and will '''not''' be added to Mozilla's CA Certificate Policy:'' | ''These items have been considered and discussed in mozilla.dev.security.policy, and will '''not''' be added to Mozilla's CA Certificate Policy:'' | ||
* ''In item #8 of the [ | * ''In item #8 of the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ Maintenance Policy] add DSA 2048. -- [https://groups.google.com/d/msg/mozilla.dev.security.policy/JFmDFlHILOY/KHJzcJezpnQJ Discussion result:]No, we should not add DSA support to Mozilla's CA Certificate Policy, and mozilla::pkix does not need to support DSA certificates.'' | ||
The following items will be discussed in regards to version 2.3 of [ | The following items will be discussed in regards to version 2.3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy.] | ||
* Clean up the [[CA:Problematic_Practices#Other_considerations_when_updating_the_CA_Certificate_Policy|"Other considerations when updating the CA Certificate Policy"]] section of the [[CA:Problematic_Practices|Potentially Problematic Practices]] page. | * Clean up the [[CA:Problematic_Practices#Other_considerations_when_updating_the_CA_Certificate_Policy|"Other considerations when updating the CA Certificate Policy"]] section of the [[CA:Problematic_Practices|Potentially Problematic Practices]] page. | ||