On Fri, 3 Sep 2021 15:34:47 -0700 (PDT) Brett L <[email protected]> wrote:
> Though we always try to land documentation changes with corresponding > code changes sometimes it is simply not always feasible. The above statement is concerning, because section 2.2 of the Baseline Requirements state: "Section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement SHALL state the CA's policy or practice on processing CAA Records for Fully-Qualified Domain Names; that policy shall be consistent with these Requirements." If a CA doesn't update their CP/CPS at the same time as deploying changes to their CAA policy, they will be out of compliance with the Baseline Requirements, as GTS was for 90 days. I was expecting the incident response in https://bugzilla.mozilla.org/show_bug.cgi?id=1729097 to address the problem by providing a solution for ensuring GTS' CP/CPS remain up-to-date with GTS' actual policies and practices. Instead, GTS's response is to ensure CPS changes are published by the time of the compliance deadline that motivated the change. This would not have prevented GTS' non-compliance, just limited it to 60 days. (It would, however, have prevented their non-compliance from being externally detectable.) GTS' response also won't address CP/CPS changes that aren't motivated by BR/MRSP changes, such as adding another CAA Issuer Domain Name. It appears that with GTS' current process for CP/CPS changes, such a change could be delayed by up to a year if it gets "bundled" with GTS' next annual CPS update. To reiterate, this would be a violation of BR section 2.2. What is GTS doing to make it feasible for them to comply with this requirement moving forward? Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20210913112012.dfd4bf784a3f58d2a45f2172%40andrewayer.name.
