On Mon, Feb 15, 2016 at 07:12:05AM -0800, [email protected] wrote: > El domingo, 14 de febrero de 2016, 21:10:57 (UTC+1), Matt Palmer escribió: > > If so, have you complied with the next paragraph of section 8 of the BRs, > > which states "The parties involved SHALL notify the CA/Browser Forum of the > > facts, circumstances, and law(s) involved, so that the CA/Browser Forum may > > revise the requirements accordingly."? > > > > If you haven't, then you're acting in bad faith by attempting to selectively > > apply the provisions of the BRs, rather than taking them as a whole in the > > spirit which they were intended. If you *have*, then it would be valuable > > to summarise the deliberations of the Forum here, so that the Mozilla > > community may evaluate the outcomes of those deliberations with regards to > > the relevant Mozilla policies. > > We don't agree about your insinuation of "acting in bad faith".
I didn't insinuate it. I stated it outright. If you're trying to argue that the BRs say you have to behave in a certain way, but you're not actually following *all* the BRs, then that's pretty much a textbook definition of "acting in bad faith", as far as I'm concerned. > As far as we know, it was notified at CABForum by an Spanish CA and that > approach must be accepted because all of the Spanish CAs (included those > who are CAB Forum members) are issuing certificates in this way. Note that the BRs don't say, "someone" has to notify CABF. It says *you*, as the party that is bound to act in accordance with Section 8, must notify CABF. It doesn't say anything about you having to be a CABF member in order to make said notification, so there's no exemption for you there. > Maybe a Mozilla's representative at CAB Forum may supply additional > information about it. Or maybe you may, since you're the one arguing for the exception. > > > It should be an exception to support this special feature. > > > > No, the CABF should amend the requirements to match reality, and then > > everyone else can change their tools as a result. > > Also, we don't suggest that tools must be modified for now but that an > exception with this requirement be made, as it was suggested before: "It > may be considered an audit qualification that says that including > Directory Names is acceptable" It would be better if the BRs were amended, so that the qualified audit wasn't necessary. Out of curiosity, though, has your auditor issued such a qualification in the past? Were you issuing certificates which warranted such a qualification at the time your last audit was performed? If so, it would seem we have another case of an auditor not acting in a sufficiently rigorous manner to preserve the public trust. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
