On Thu, Oct 11, 2018 at 01:06:46PM -0700, Wayne Thayer via dev-security-policy wrote: > * The CPS allows “external issuing CAs” but does not clearly state that the > requirements of BR section 1.3.2 will be met. emSign made the following > comment in response to this concern: “In the CP/CPS, there is reasonable > definition for both External Issuing CAs and External RAs. Section 1.1 of > CP/CPS also promises that BR supersedes this document.”
To put it mildly, I'm not a fan of "our CPS says X but we promise to follow the BRs instead". The list of "Bad" items you enumerated, which were all in the CPS and were fixed up (presumably) as a result of someone external (possibly you?) going through the CPS and saying "that's not compliant, and that's not compliant" shows the benefit of explicitly describing practices in the CPS, rather than just pointing at the BRs and saying "we do that". Given that we've just recently had an incident caused by a CA's misunderstanding of the BRs, anything which increases the chances of identifying a CA's misunderstanding early (by, for example, explicitly describing their practices in their CPS) would seem like a good thing. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy