On 2/4/2015 10:27 PM, Kurt Roeckx wrote: > So maybe the CP/CPS should indicate what the version is they comply > with, and update it on regular basis? Or maybe just say that they will > follow the updates? Since Mozilla's CP requires CA to submit audit report annually, the CA's assertion of compliance is also updated annually. Unless the frequency of updating CP/CPS is more often than annual basis, it makes no difference whether it is stated in CP/CPS or the Webtrust audit statement. I want to point out that having the CA's assertion of compliance with BR in Webtrust audit is a proper approach because it can be read together with Webtrust audit report. If some CAs want to make a statement in CP/CPS to commit "willingness" of following the BR, it should be optional as an expression of endeavor.
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
