I do not feel this point it nitpicky. Externally-referenced documents increase the compliance burden on CAs (and organizations, in general) and introduce unnecessary complexity. Specifying a version is helpful, but we will also need to ensure prior versions of policies are easily accessible and from an authoritative source. CCADB does not currently offer prior versions of policies on its site, at least as far as I can see, but that's where I would expect to see archived policies.
Ideally, the referenced text would be pulled into the referencing policy directly to ensure the requirement is unambiguous. Also, to Tim's point, a statement should be included on when changes to the referenced policy become enforceable to avoid any assumptions by either party. Cheers, AP On Thursday, August 17, 2023 at 1:38:53 PM UTC-6 Tim Hollebeek wrote: > > > This is extremely nitpicky and in the weeds, so excuse me, but … > > > > It has been pointed out internally that the draft 2.9 Mozilla policy > includes a normative reference in section 3.1.4 to CCADB policy section > 5.1, without specifying a version. > > > > The has the practical effect of meaning that CCADB Policy updates to > section 5.1 could happen at any time, and CAs are expected to comply > immediately with no transition period. This seems extremely dangerous, > unintended, and likely to end badly. > > > > I’m not sure what the best fix is. Requirements that reference external > documents that can change at any time are always very tricky to handle in a > good way. > > > > -Tim > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b8569b9f-e256-47e1-902f-9c77a3624ac3n%40mozilla.org.
