On 2/4/2015 6:08 PM, Gervase Markham wrote: > They are not refusing to comply, they > just want to change the location of the compliance statement. In practice, Webtrust BR audit report requires the CA's assertion of compliance with BRs. It is a proper place to make the compliance statement because it can be read together with the audit report. > Or are they basically saying they do not wish to be bound by the latest > version of the BRs, but only by the version current at the time of their > last audit? > > If so, I'd say No. Mozilla expects all CAs in our program, whether CAB > Forum members or not, to comply with the latest version of the BRs > (taking into account any phase-in periods given in resolutions to adopt > new measures). Inability to do this might be considered indicative of > deeper problems at the CA. The point of discussion is misunderstood. It is no doubt that CAs are willing, or actually required, to commit its compliance with the latest version of BRs. Otherwise the CA simply refuses to join the root program. But making a statement in CP/CPS means that CA "has already complied" with the "latest version" of BRs. In other words, CA has already complied with all potential changes of BRs at all time. Such statement could be a false statement when the "latest version" of BRs has been changed and CA actually cannot comply with the changes at that time. Hence, users are misled by the statement at that time.
> It may be true that we can only have the compliance of a particular CA > checked formally once a year at audit time, but we still expect ongoing > compliance, and reserve the right to use other methods of checking it > (such as examining issued certificates). By all means, Mozilla always has the right to check ongoing compliance as stated in Mozilla's CP. Making a statement in CP/CPS or not, doesn't mean anything. -- Man _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
