Having given this some more thought, I suggest the following changes: * Forbid "no stipulation" altogether. While there are a few sections where it would be convenient to use "No stipulation" (e.g. 4.2.3 Time to Process Certificate Applications), I don't see a requirement for more descriptive language to be much of a burden (e.g. 4.2.3 could simply state: "we process applications in a commercially reasonable time but do not publish specific SLAs"). In the case of a CP that delegates requirements to one or more CPSs, it is also more informative to state "Refer to CPS section" than to use "No stipulation". Finally, if we continue to allow "No stipulation", we really won't know if a CA is aware of this discussion and is using the term properly.
* Section 1.1 of the BRs describes the reason that some sections are left blank: In accordance with RFC 3647 and to facilitate a comparison of other certificate policies and CPSs (e.g. for policy mapping), this document includes all sections of the RFC 3647 framework. However, rather than beginning with a “no stipulation” comment in all empty sections, the CA/Browser Forum is leaving such sections initially blank until a decision of “no stipulation” is made. Some of the blank sections also cover important information (e.g. 3.3.1 Identification and Authentication for Routine Re-key). We shouldn't allow "No stipulation" for these either. * Add a requirement that language that only applies to certificates that are out-of-scope for Mozilla policy must be clearly marked as such. Many CP/CPSs cover document signing and other certificate usages, but they often aren't explicit about policies that aren't permitted for TLS and/or email certificates. For example, it's permissible for a CP/CPS to describe procedures for certificate suspension in 4.9.15, but it should clearly state that suspension will not be used with TLS certificates. * Finally, I think we need some effective date for these as required practices. One approach would be to require compliance for any CP/CPS dated after Dec 31, 2018. - Wayne On Tue, Oct 23, 2018 at 2:25 AM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I have updated the section as follows: > - Removed the sentence that was trying to limit the use of "No > Stipulation". Hopefully the clarification about what these words mean is > sufficient. > - Added bullet points > - Added "Sections MUST not be left blank. ..." > > > https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Structured_According_to_RFC_3647 > > > I continue to appreciate your feedback on this new section. > > Thanks, > Kathleen > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
