Some initial thoughts: 1) Membership in the CAB Forum is not required for a CA to commit to complying with the BR, and if non-membership avoids any obligation to comply with the BRs, I think you'll quickly see a mass exodus from the group. No member of the CAB Forum is bound to its requirements by agreement or through participation. Instead, the requirements are only imposed by the browsers are part of their root programs. 2) The goal of Section 8.3 is for the CA to inform the public about which certs are being issued in compliance with the BRs and which are not. It's not a marketing requirement. It's a technical requirement to provide relying parties (and browsers) information about how the CA operates. Section 8.3 basically requires the CA to assert that it is doing the MINIMUM required to issue certs. Any CA unwilling to assert this should not be issuing trusted certs. 3) Every CA should comply with the latest version of BRs. CAs who are so inflexible that they can't keep up with the "minor" changes made by the CAB Forum really shouldn't be issuing certs. Recent "minor" changes include deprecation of 1024 bit certs, SHA2 migration, deprecation of internal names, etc. These are pretty important issues, all of which should be promptly implemented by CAs when adopted. 4) Although relying parties might not frequently review audit reports and CPS docs, the Mozilla community does look at CPS docs. Asserting compliance in the CPS lets the community know the criteria under which the CA is operated and permits them to compare the CPS to a third party standard. Without the assertion, the CA isn't telling you anything about which policy they are operating under.
Obviously, I think an exception to this simple requirement is a mistake. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Kathleen Wilson Sent: Wednesday, January 28, 2015 3:49 PM To: [email protected] Subject: Question about BR Commitment to Comply All, https://wiki.mozilla.org/CA:BaselineRequirements Currently says: "The CA's CP or CPS documents must include a commitment to comply with the BRs, as described in BR section 8.3." I have been asked if a CA can have their Webtrust audit statement indicate their commitment to comply with the BRs, rather than putting the commitment to comply statement in the CP/CPS. Here are the reason: 1) We are not a member of CAB/Forum and do not have any mutual agreement that can bind the obligations and responsibilities of both parties. It seems that the BR keeps changing very often. 2) The requirement of BR section 8.3 is quite weird as there is no such requirement in other audit criteria such as WebTrust. Would it be a marketing requirement rather than a technical requirement? 3) Further to (1) above, the proposed statement in BR section 8.3 also requires CA to adhere to the latest published version. But nobody can assure compliance with it all the time. Even if a particular version number could be stated, practically it'll take quite a long time to modify our CPS just due to some minor changes in BR by CAB/Forum. 4) On the other hand, since CAs are required to perform Webtrust audit annually anyway, it seems more appropriate for the Webtrust audit statement to disclose which version of BR that the CA adhere to. I will appreciate your thoughtful and constructive suggestions about this. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
