On 24/01/18 13:56, Ryan Sleevi wrote: >> more frequently when requirements change. I propose that we require CAs to >> update their CPS to comply with version 2.5 of the Mozilla root store >> policy no later than 15-April 2018.
I think Ryan is right here; the deadline for complying with most of the new changes was "immediately" - in part, that was due to the nature of the changes, in that this was possible, and also we put out a call for "does anyone need an implementation period for any of these things", and the only response was from Globalsign, which led to the modification of the email intermediate compliance dates. I realise that updating one's CPS to match changes in practice can't be done overnight - there are change control procedures - but taking 15 months is ridiculous. We should get back to Microsec and tell them that this is unacceptable. If we do set a "new" deadline for CPS updates, it should be closer than mid-April, and we should update our policy to make it clear how fast we expect CPSes to be updated in the wake of "immediate" new requirements - either from a new version of the policy, or from some emergency action we take. > 2 should be inconsequential, but 1 has a very real effect - unless/until > the CA updates their CP/CPS to explicitly state what methods they are using > (implicitly disavowing the 'any other method'), then a CA can receive a > fully compliant audit, despite actively issuing certificates using 'any > other method', in contravention of Mozilla Policy. Ryan: I thought you had previously made the case that all CAs actually had to abide by the latest version of the BRs? If that is so, then surely your point above is incorrect? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
