In the past, new policy versions have not had a clearly defined future effective date. That seems to have led some CAs to interpret the timing for making changes to be "whenever we get around to it" instead of the intent of "the policy is effective immediately and we expect you to comply with it as soon as possible". Given this abuse, I'd prefer to put a date on each new version of the policy by which CAs are expected to comply with it. This date would be 2-3 months after the policy was announced, but would also allow specific carve-outs for changes that take longer.
- Wayne On Wed, Jan 24, 2018 at 3:01 AM, Gervase Markham <g...@mozilla.org> wrote: > On 24/01/18 00:47, Wayne Thayer wrote: > > more frequently when requirements change. I propose that we require CAs > to > > update their CPS to comply with version 2.5 of the Mozilla root store > > policy no later than 15-April 2018. > > I think we should have a more general stipulation that Mozilla does not > consider it reasonable to take more than N months to make an update to a > CPS, with N being a number like 3 or 2. > > Now, a particular change my require code changes as well, and the CPS > may only be updated when those are made, and that might take longer - > that's fine. But if the requirement is e.g. "add some extra contact > information", that's not fine. CAs should not be in the habit of having > processes where their CPSes are only updated yearly. > > Gerv > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
