Hi all, I'd like to present two pieces of relevant context, and then ask a few questions. Although this does somewhat concern CA/BF processes and policies, I am sending this message to MDSP because it concerns a question of whether a particular action is a violation of the requirements, a topic upon which the CA/BF itself does not pass judgement.
Context #1: In the past few weeks, three Bugzilla incidents have been opened regarding recording the current version of the Baseline Requirements in validation event audit logs: - Chunghwa Telecom: Domain validation records without the TLS BR version <https://bugzilla.mozilla.org/show_bug.cgi?id=2008788> - iTrusChina: Domain validation records without the TLS BR version <https://bugzilla.mozilla.org/show_bug.cgi?id=2013805> - Google Trust Services: Outdated BR version in some validation records <https://bugzilla.mozilla.org/show_bug.cgi?id=2017747> The relevant requirement cited in the first two incidents (and I suspect likely to be cited in the third incident's full report) is from Section 3.2.2.4: > CAs SHALL maintain a record of which domain validation method, including relevant BR version number, they used to validate every domain. Context #2: The CA/BF has recently published several new versions of the Baseline Requirements. For example: - SC-094, with an Effective Date of 2026-02-16, was merged <https://github.com/cabforum/servercert/commit/c7da1eeef499cb0d0435c7608392478aa2aca27a> at 2026-02-16 21:06 UTC, and v2.2.3 was announced on the mailing list <https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/87FqTaC3iBI> at 2026-02-16 21:13 UTC - SC-096, with an Effective Date of 2026-02-17, was merged <https://github.com/cabforum/servercert/commit/24f38fd4765e019db8bb1a8c56bf63c7115ce0b0> at 2026-02-17 20:30 UTC, and v2.2.4 was announced on the mailing list <https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/AIRxwfZ0oSE> at 2026-02-17 20:36 UTC - Both new versions were merged <https://github.com/cabforum/cabforum.org/commit/70ccb4f320c6651493db96d3a4f5ef5a6198c0c1> to the website repo at 2026-02-18 03:40 UTC, and the website itself was updated about four minutes later <https://github.com/cabforum/cabforum.org/actions/runs/22156466014> Questions: 1. At what time does a new BRs version become effective? The BRs themselves only give a date, not including a time nor a time zone. But the new version of the BRs is often not published until some portion of the way through that day (or the previous day, or the next day, depending on time zones). Does a new version become effective at midnight UTC on the date given as the Effective Date within the document? Or when merged into the `main` branch of the github repo? When sent to the mailing list? When published to the website? 2. Let's assume for the moment that a new BRs version becomes effective when the email announcing it is sent to the mailing list. Suppose a validation is performed one second after that email is sent, and the CA records the *previous* Baseline Requirements version number. Is that a violation of the requirement from Section 3.2.2.4? If yes, is there a reasonable way for a CA to anticipate publication of a new BRs version and cease all validation activities until it is actually published? Thank you for your time and discussion, Aaron -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErddD53vAnY896_kUrVcpPRFrGbP70xH0E550PVOmX1S%3Dg%40mail.gmail.com.
