On Wed, Jan 18, 2017 at 7:16 AM, Gervase Markham <g...@mozilla.org> wrote:
> On 17/01/17 23:32, Ryan Sleevi wrote: > > BRs 1.3.0 ( https://cabforum.org/wp-content/uploads/CAB-Forum-BR- > 1.3.0.pdf > > ) already include the clause (in Section 2.2) that: > > "The CA SHALL publicly give effect to these Requirements and represent > > that it will adhere to the latest published version." > > Hmm. I was not aware of that. I wonder how many CAs are aware that > according to the BRs, any changes to the BRs by default come in > immediately the motion is passed and the document is updated. Perhaps > I'm the only person who didn't know this. > I am surprised, since we discussed it during the Scottsdale F2F in the CA/Browser Forum :) See https://cabforum.org/2016/02/17/2016-02-17-minutes-of-f2f-meeting-37/#Compliance-Assessment-Coordination-with-auditors-and-browsers "Some CAs say they were audited to an older version of the BRs; therefore it would appear that the CA only thinks the need to comply with the older version of the BRs. This is not correct as the BRs state that the CA has to have a CPS statement that they comply with the latest version of the BRs." > You'll need to give me a more specific reference; I don't remember any > such question, and a quick scan back through top-level posts from Apple > employees hasn't revealed it. > There's not some single top-level post that states this - but it was the whole purpose of Ballots 180/181, which is the view that the Forum did not follow its Bylaws (with respect to either voting vs IP review period or with respect to the formation of a PAG following disclosures, going back to the first adoption of the BRs) therefore invalidates the adoption. Which is why we had Ballots 180/181 - to ensure that all members were happy that 'the process' was followed and all documents produced were done so in a way consistent with the Bylaws. It's procedural administrivia, certainly, and not one anyone advanced until Apple raised concerns, largely in part do to the proposed ways of resolving the lack of disclosure notices being provided during much of Dean's chairing. > So the suggestion is that we just update our policy to require adherence > to the latest version of the BRs, on the basis that this is what the BRs > require anyway? Yes. That gets you to Ballot 181 / v 1.4.2. However, you would then need to clarify (at least for 1.4.2) that the only acceptable forms of any other are the 169 methods. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy