On Tue, Mar 20, 2018 at 8:19 AM, Ryan Sleevi <r...@sleevi.com> wrote:
> > Looking through [1], it seems like the Compliance Date has only differed > from the Publication Date once (with 2.0). > It's not clear to me that the 2.5 failure to adoption was related to > ambiguity around compliance dates versus, say, CAs not being in compliance > until directly chastised for non-compliance. > > I believe both causes factored into the 2.5 compliance issues, but agree that this change only helps with ambiguity around Compliance Dates. Thus, the deferral of 2 months is not entirely clear as to the reasoning. > Could you speak more to the thinking behind that? > > To begin, I hope we can agree, even if we don't like it, that changes like this often get done just before the deadline (I believe there is an incentive for this behavior, but all that is necessary here is to accept that it happens regularly). Then the question becomes "what is the deadline?", and of course the answer is the Compliance Date. Then I ask how the Compliance Date is set and communicated to CAs, and that's where I see the problem. For the 2.5 version there was a discussion around phase-in periods for specific changes [1], but as best I can tell the Publication Date (and hence the Compliance Date) was not communicated in advance [2], meaning that CAs had no deadline to work toward. In addition, there was no indication that the policy changes were finalized prior to the Publication Date, so CAs didn't have a stable policy to implement prior to the Publication Date, at which point they were expected to already have complied. My thinking is that this situation encourages CAs to ignore the Compliance Date and work on their own schedules, and that communicating a Compliance Date that is some reasonable amount of time after the Publication Date clarifies our expectations. [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/VFvlhIFFVbA/tFD51RzMAQAJ [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/lSyrFEkREZk/9c67Y7bNAQAJ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
