El lunes, 15 de febrero de 2016, 20:43:35 (UTC+1), Matt Palmer escribió: > I didn't insinuate it. I stated it outright. If you're trying to argue > that the BRs say you have to behave in a certain way, but you're not > actually following *all* the BRs, then that's pretty much a textbook > definition of "acting in bad faith", as far as I'm concerned.
No comment. It's the way you see it and there is nothing more to add. > > > As far as we know, it was notified at CABForum by an Spanish CA and that > > approach must be accepted because all of the Spanish CAs (included those > > who are CAB Forum members) are issuing certificates in this way. > > Note that the BRs don't say, "someone" has to notify CABF. It says *you*, > as the party that is bound to act in accordance with Section 8, must notify > CABF. It doesn't say anything about you having to be a CABF member in order > to make said notification, so there's no exemption for you there. I assume that you are really referring to 9.16 (v1.3.x) : "9.16. MISCELLANEOUS PROVISIONS 9.16.1. Entire Agreement 9.16.2. Assignment 9.16.3. Severability If a court or government body with jurisdiction over the activities covered by these Requirements determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA / Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Requirements accordingly." Thank you for your suggestion. We interpreted that only CAB Forum members could notify to the CAB Forum, but we are studying to do so. > > Maybe a Mozilla's representative at CAB Forum may supply additional > > information about it. > > Or maybe you may, since you're the one arguing for the exception. You'll agree that if this subject has already been notified and discussed (we were not present), Mozilla's representative at CAB Forum would be a trusted source in order to summarise the deliberations of the Forum about this issue. > > Also, we don't suggest that tools must be modified for now but that an > > exception with this requirement be made, as it was suggested before: "It > > may be considered an audit qualification that says that including > > Directory Names is acceptable" > > It would be better if the BRs were amended, so that the qualified audit > wasn't necessary. > Of course that if this paragraph were rewritten (e.g. as it is in EV Guidelines documents) it wouldn't be necesary any exception. For now, as it was suggested before, and audit qualification could be a solution for Spanish CAs. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
