Historically, the effective dates of new versions of the policy have been maintained separately from the policy itself [1]. In our November Communication, we learned that many CAs weren’t in compliance with policy version 2.5 despite it having been in effect since June [2]. This proposal is simply to add the Compliance Date to the policy itself, below the version number, to make it more visible.
In addition, I propose that we adopt the norm of setting the Compliance Date to 2 months after the Publication Date, to make it clearer that CAs are expected to implement whatever changes are necessary no later than the Compliance Date. This norm would not affect our ability to define more specific Compliance Dates for specific changes to the policy. This is: https://github.com/mozilla/pkipolicy/issues/117 [1] https://wiki.mozilla.org/CA/Root_Store_Policy_Archive [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/Bs3yRryKWFQ/ zJkUtz0GBAAJ ------- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
