On 17/01/17 23:32, Ryan Sleevi wrote: > BRs 1.3.0 ( https://cabforum.org/wp-content/uploads/CAB-Forum-BR-1.3.0.pdf > ) already include the clause (in Section 2.2) that: > "The CA SHALL publicly give effect to these Requirements and represent > that it will adhere to the latest published version."
Hmm. I was not aware of that. I wonder how many CAs are aware that according to the BRs, any changes to the BRs by default come in immediately the motion is passed and the document is updated. Perhaps I'm the only person who didn't know this. > So despite Mozilla Policy requiring 1.3.0, up until the passage of > Ballots 180/181, CAs were already on the hook and expected to comply > with the BRs 1.4.1 - meaning implementing the methods of Ballot 169 by > 1 March 2017. > > Up until the questions by Apple in the Forum, there had not been any > debate or disagreement about what the 'latest published version' was, > either within the Forum or within mozilla.dev.security.policy. You'll need to give me a more specific reference; I don't remember any such question, and a quick scan back through top-level posts from Apple employees hasn't revealed it. > It's > unclear whether Mozilla shares Apple's interpretation about the > legitimacy of all versions of the BRs prior to 1.4.2, but based on > your replies, it does not seem you agree on substance. That is, BRs > 1.3.0 were/are a valid version of the BRs, at least within the spirit > and intent of the Mozilla policy, and so too by that logic are > versions 1.3.7, 1.4.1, and 1.4.2, which were passed in the same > manner. Yes, that's my view. > and it > seems that the reference to a specific version in Policy 2.4 is > perhaps superflous, so long as the Section 2.2 remains in force in the > BRs. So the suggestion is that we just update our policy to require adherence to the latest version of the BRs, on the basis that this is what the BRs require anyway? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
