On Mon, Mar 19, 2018 at 6:28 PM, Wayne Thayer via dev-security-policy < [email protected]> wrote:
> Historically, the effective dates of new versions of the policy have been > maintained separately from the policy itself [1]. In our November > Communication, we learned that many CAs weren’t in compliance with policy > version 2.5 despite it having been in effect since June [2]. This proposal > is simply to add the Compliance Date to the policy itself, below the > version number, to make it more visible. > > In addition, I propose that we adopt the norm of setting the Compliance > Date to 2 months after the Publication Date, to make it clearer that CAs > are expected to implement whatever changes are necessary no later than the > Compliance Date. This norm would not affect our ability to define more > specific Compliance Dates for specific changes to the policy. > Looking through [1], it seems like the Compliance Date has only differed from the Publication Date once (with 2.0). It's not clear to me that the 2.5 failure to adoption was related to ambiguity around compliance dates versus, say, CAs not being in compliance until directly chastised for non-compliance. Thus, the deferral of 2 months is not entirely clear as to the reasoning. Could you speak more to the thinking behind that? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
