On Wed, Mar 21, 2018 at 2:43 AM, Ryan Sleevi <r...@sleevi.com> wrote:
> > > On Tue, Mar 20, 2018 at 8:27 PM, Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: >> >> >> > I am specifically thinking of CP/CPS updates, which were a major part of >> the problem with version 2.5 compliance. There are a few proposals in the >> 2.6 queue that also require CP/CPS updates. Would you expect those to >> trigger an exception as described above? >> > > Yup, I think it totally makes sense to phase those in, since they first > need to be finalized (via Publication) before CAs can fully update to be > conformant. > Assuming those CP/CPS requirements make it into the 2.6 version, I will plan to propose setting the Compliance Date for this specific version to be 2 months after the Publication Date, while not changing the default of setting them to the same date for future versions of the policy. I think that addresses both of our concerns. I think we both agree that compliance with 2.5 was a problem that we'd >> like to address. I've put forth the argument that having Compliance Date > >> Publication Date could help to improve that. Do you disagree with my >> assertion, or simply feel that on balance it is better to have new >> policies >> enacted sooner but with less compliance? Maybe a better solution would be >> to ask CAs to attest to their compliance via a survey each time we publish >> a new policy version? > > > I don't think having Compliance Date > Publication Date will, in general, > help for situations of CAs being non-compliant. I think it will help with > some things - if their non-compliance was due to, for example, updating > systems or CP/CPSes - but I think it will harm other things - e.g. CAs > monitoring m.d.s.p. or disclosing certain things. > > Regarding CAs attesting to compliance, I think that will help, but not > because of the Compliance Date or Publication Date. Rather, it will help > because no matter what we do or say, there are a subset of CAs who simply > will not and do not spend time following m.d.s.p. and only reply to emails > and only after several emails have gone by and only after being shamed at > the risk of distrust. > I agree, and will plan to send a CA Communication when the new version is published. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
