Thanks! Yes, I think it is a required item in webtrust audit as well. But, for example, Google's CPS was updated on Sept 2, 2013, so Google should have its CPS updated by Sept 2, 2014. Right? But its audit report states "during the period October 1, 2013 through September 30, 2014 [...] The Certificate Practice Statement are available 24*7 basis and updated annually".[1]
[1] https://cert.webtrust.org/SealFile?seal=1751&file=pdf On Saturday, April 4, 2015 at 11:59:55 AM UTC-4, Jeremy Rowley wrote: > Should have read your email more carefully. Yes all cas are required to > update annually. Those that don't are out of compliance. I think its even one > of the criteria under webtrust. > > > Eugene <[email protected]> wrote: > > According to the CA Baseline Requirements section 8.2.1, "The CA SHALL > develop, implement, enforce, and **annually update** a Certificate Policy > and/or Certification Practice Statement that describes in detail how the CA > implements the latest version of these Requirements." > > But it seems that, among fifteen root and intermediate CAs that I have > checked, four of them haven't updated their CP or CPS documents for more than > one year. > > All the CAs that I have checked are: > Google, Symantec, Go Daddy, DigiCert, CNNIC, GlobalSign, Microsoft, > CyberTrust, GeoTrust, WoSign, StartCom, Comodo, Buypass, Chunghwa Telecom, > China Financial CA > > Four CAs whose CPS docs are older than 1 year: > * Google Internet Authority G2 (signed by GeoTrust Global CA): > https://pki.google.com/index.html, last updated on September 2, 2013 > * CNNIC: http://www.cnnic.cn/cps/, July 1, 2013 > * StartCom: https://www.startssl.com/policy.pdf, October 31, 2012 > * Chunghwa Telecom: https://epki.com.tw/repository_en.htm, January 19, 2009 > > Do they violate the Baseline Requirements? > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
