Should have read your email more carefully. Yes all cas are required to update annually. Those that don't are out of compliance. I think its even one of the criteria under webtrust.
Eugene <imfasterthanneutr...@gmail.com> wrote: According to the CA Baseline Requirements section 8.2.1, "The CA SHALL develop, implement, enforce, and **annually update** a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements." But it seems that, among fifteen root and intermediate CAs that I have checked, four of them haven't updated their CP or CPS documents for more than one year. All the CAs that I have checked are: Google, Symantec, Go Daddy, DigiCert, CNNIC, GlobalSign, Microsoft, CyberTrust, GeoTrust, WoSign, StartCom, Comodo, Buypass, Chunghwa Telecom, China Financial CA Four CAs whose CPS docs are older than 1 year: * Google Internet Authority G2 (signed by GeoTrust Global CA): https://pki.google.com/index.html, last updated on September 2, 2013 * CNNIC: http://www.cnnic.cn/cps/, July 1, 2013 * StartCom: https://www.startssl.com/policy.pdf, October 31, 2012 * Chunghwa Telecom: https://epki.com.tw/repository_en.htm, January 19, 2009 Do they violate the Baseline Requirements? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy