Working on an update to our Subscriber Agreement, I noticed this text on the wiki:
https://wiki.mozilla.org/CA/Revocation_Reasons#Communication_to_Subscribers > The Subscriber Agreement or Terms of Use MUST contain provisions imposing on the Applicant itself (or made by the Applicant on behalf of its principal or agent under a subcontractor or hosting service relationship) an obligation and warranty to specify the following revocation reasons when they are applicable to the reason that the subscriber is requesting that their certificate be revoked. Compare with MRSP: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#611-end-entity-tls-certificate-crlrevocation-reasons > The CA operator's subscriber agreement for TLS end entity certificates MUST inform certificate subscribers about the revocation reason options listed above and provide explanation about when to choose each option <https://wiki.mozilla.org/CA/Revocation_Reasons>. Note the difference: wiki says "MUST impose obligation and warranty;" MRSP says "MUST inform." I'm assuming the MRSP is more up to date and is what we should follow. But this raises a question: the wiki page contains a few normative requirements (all-caps MUST) that are not direct quotations. Should we consider those to be incorporated into the MRSP by reference? If so, we would have to follow the more stringent requirements from the wiki. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAN3x4QnWDN_RwUd92Htu2qsgEwB3LeW%3D%2BMdtdCxS5JsKQJzpyA%40mail.gmail.com.
