I hope you realize that these discussions were happening well after we started the inclusion request in Bugzilla, and I can't even see how what we did wasn't compliant with BR 8.1, even with the current wording.
Nevertheless, can we at least agree that our plan to advance the start of the annual audit period to 9th of May will satisfy both the previous and the current criteria? Thanks, Pedro El martes, 26 de junio de 2018, 0:00:29 (UTC+2), Wayne Thayer escribió: > On Mon, Jun 25, 2018 at 2:45 PM Ryan Sleevi via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Mon, Jun 25, 2018 at 5:12 PM, Pedro Fuentes via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > > 7. In my humble opinion, I think that these requirements must be formalized > > > in audit criteria or explicitly in the BR, and not raised "ad hoc". Any > > CA > > > embarking in an inclusion process should know all requirements > > beforehand. > > > > > > But they're already arguably part of the BRs, as I showed, and it's up to > > the relevant groups (WebTrust, ETSI) to ensure that the criteria they adopt > > reflect what browsers expect. As we see with ETSI and ACAB-c, if the > > auditor fails to meet those requirements, it's the auditor that's at fault. > > > > 8.1 is the relevant section of the BRs, and the issue was recently > discussed on this list: > https://groups.google.com/d/msg/mozilla.dev.security.policy/rR9g5BJ6R8E/Gwzqquv6BgAJ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
