On Sun, July 27, 2014 7:41 pm, Jeremy Rowley wrote: > You can tell which BR version > the cert complies with by looking at the issuance date,
No. You can't. Surely you don't mean to tell me that if I go find a cert DigiCert issued last week that I can safely assume it's going to conform to BR 1.1.8, do you? The most recent WebTrust Seal linked from your page, Seal ID 1527, documents that DigiCert was audited to WebTrust 2.0 by KPMG, dated 12 July 2013, and covering through 31 March 2013. Your CP (v4.06) and CPS (v4.06) are both dated May 14, 2014. But BR 1.1.8 is dated 5 June 2014 (Replacing 1.1.7, dated 3 April 2014). Can I tell, from looking at the issuance date, which BR version a cert issued on July 20 2014 was issued? Would I be safe in assuming 1.1.8, even though it's newer than your CP/CPS? Should I assume your CP/CPS were updated to reflect through 1.1.7? What about the fact that WebTrust for BR, v1.1 (Amended), the most recent version published by AICPA, is set with an effective Jan 31, 2013 date, which corresponds to the time between BR 1.1.1 and BR 1.1.2 (1.1.2 introducing the language regarding wildcard certs and gTLDs)? There's no reasonable, programatic way to determine which, out of all these criteria, DigiCert is claiming conformance to. Short of manually inspecting CP/CPSes. This is where the OID nightmare comes from. There are 15 versions of the BRs. There are three versions of WebTrust for BRs. I haven't bothered to count how many ETSI versions. From the DigiCert repository ( http://www.digicert.com/ssl-cps-repository.htm ) I see there have been four versions of your CP/CPS since the BRs went into effect. And this, of course, ignores the practice that some CAs (but presumably not Digicert) practice, of 'backdating' the issuance date of certs for compatibility reasons (or, allegedly, accounting, although that's a bit specious). _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
