Gerv, I'd like to push a little and suggest that the IP issues are not a significant reason for Mozilla not to formalize on 1.4.1 (e.g. with 169 included)
Notably, 1.3.7 also has IP encumbrances - and uncertainty - the same as 1.4.1, so presumably, Mozilla is OK with having encumbered methods included. Considering some of these exclusions have existed since the BR's adoption, that doesn't seem an unreasonable conclusion. So what's the difference between 1.3.7 and 1.4.1? - A few methods were introduced which may or may not be encumbered - The ability for the CA to select anything they want to argue is equivalent is removed I would presume that your contention with 139 is not because new methods were (potentially) encumbered, but on the basis that it removes the any other method. Given that there are other methods available (as reaffirmed by Ballot 181) that have no encumbrances by CA/B Forum members, and given that potentially *any or all* of the methods used may be encumbered by non-Forum members (who have no obligation to disclose), it does not seem that it creates any new meaningful risk for Mozilla to impose 1.4.1 upon CAs. Indeed, if anything, the recent events shown with GoDaddy hopefully demonstrates to Mozilla that 1.4.1 (that is, with Ballot 169 included) provides better security to your users and the Internet at large, by formally prohibiting the use of methods outside of that list. Given that you can always revisit it if a CA can provide demonstrable evidence of concern and proposed alternatives, without waiting on the CA/Browser Forum, I'd like to encourage you that 1.4.1 is no worse than 1.3.7, either technically or from an IP encumbrance perspective, but is significantly and substantially better. On Thu, Jan 12, 2017 at 12:44 PM, Jeremy Rowley <[email protected]> wrote: > I agree with this approach. Nothing of note was include after the domain > validation passed so making 1.3.7 the effective version makes sense. > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla > .org] On Behalf Of Gervase Markham > Sent: Thursday, January 12, 2017 9:45 AM > To: [email protected] > Subject: Policy 2.4 Proposal: Update required version number of Baseline > Requirements to 1.3.7 > > Point 12 of the Inclusion section requires conformance to the Baseline > Requirements version 1.3, released on 16th April 2015. The current version > is 1.4.1. > > I propose changing to version 1.3.7. This is the one before the version > which updated the domain validation requirements and which has had to be > walked back due to the IPR issues. Once the dust settles, we can look at > updating again. See the bug for more info on the logic here. > > This is: https://github.com/mozilla/pkipolicy/issues/30 > > ------- > > This is a proposed update to Mozilla's root store policy for version 2.4. > Please keep discussion in this group rather than on Github. Silence is > consent. > > Policy 2.3 (current version): > https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md > Update process: > https://wiki.mozilla.org/CA:CertPolicyUpdates > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
