On Monday, February 13, 2017 at 4:22:34 AM UTC-8, Gervase Markham wrote: > That is why, despite some IPR-related tangles, Mozilla will be requiring > in its next CA Communication that all CAs move to using only those > documented methods in a fairly short timeframe, regardless of what the > BRs say. CAs may wish to not wait for that communication to arrive > before starting to adapt their systems.
Grev, One thing to highlight here is that the WebTrust audits are performed against the BRs and not against the root program requirements. I.e., unless ballot 169 makes it to the BRs, a (naughty) CA may still chose to use "any other method" and it will not be flagged in the audit report, provided they disclose as such in the CP/CPS. This means, Mozilla will have to review (each) CA's CP/CPS to determine whether it validates _only_ using methods specified in "the documented methods" and will have to do so for each CP/CPS update. So hopefully 169 makes it's way to BR soon. -Santhan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
