[Servercert-wg] Updated Draft for Browser Alignment
Ryan Sleevi
sleevi at google.com
Thu Mar 5 09:31:54 MST 2020
Hi all,
As mentioned on the servercert-wg@ call today, I've updated the draft
ballot to align the BRs with existing Root Program Requirements, hopefully
up to date with every Root Program change announced at the Bratislava F2F.
The one exception to that is I have not added
https://support.apple.com/en-us/HT211025 yet, as it wasn't yet published
when I did the alignment pass.
The readline against 1.6.7 (I haven't yet merged in the recent 1.6.8
changes) is at
https://github.com/cabforum/documents/compare/master...sleevi:2019-10-Browser_Alignment
I tried to explain the source of the requirements in the commits, which try
to incorporate:
- Mozilla Root Store Policy 2.7
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
- Microsoft Trusted Root Program (as updated 2020-02-04) -
https://docs.microsoft.com/en-us/security/trusted-root/program-requirements
- Common CCADB Policy 1.1 - https://www.ccadb.org/policy
If I've missed requirements, or misinterpreted, please feel free to
highlight :) The subtleties, in particular, around Mozilla's permitted
SHA-1 issuance (which is more restrictive than the BRs in a number of
useful ways), were a bit more complex to capture in an objective, technical
way.
As I mentioned, it's possible that root stores had reached private
understandings with CAs regarding particular requirements. As such, it may
be that some requirements need effective dates in the future. For
requirements that have already been adopted, this doesn't set effective
dates in the past; the effective date would be the adoption of this ballot.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200305/afe738c2/attachment-0001.html>
More information about the Servercert-wg
mailing list