On Friday, October 12, 2018 at 6:19:52 AM UTC+8, Matt Palmer wrote: > On Thu, Oct 11, 2018 at 01:06:46PM -0700, Wayne Thayer via > dev-security-policy wrote: > > * The CPS allows “external issuing CAs” but does not clearly state that the > > requirements of BR section 1.3.2 will be met. emSign made the following > > comment in response to this concern: “In the CP/CPS, there is reasonable > > definition for both External Issuing CAs and External RAs. Section 1.1 of > > CP/CPS also promises that BR supersedes this document.” > > To put it mildly, I'm not a fan of "our CPS says X but we promise to follow > the BRs instead". The list of "Bad" items you enumerated, which were all in > the CPS and were fixed up (presumably) as a result of someone external > (possibly you?) going through the CPS and saying "that's not compliant, and > that's not compliant" shows the benefit of explicitly describing practices > in the CPS, rather than just pointing at the BRs and saying "we do that". > > Given that we've just recently had an incident caused by a CA's > misunderstanding of the BRs, anything which increases the chances of > identifying a CA's misunderstanding early (by, for example, explicitly > describing their practices in their CPS) would seem like a good thing. > > - Matt
Hi Matt, To clarify, We do not mean that 'the text in CP/CPS deviates or violates BR, but BR still supersedes'. The clarification to Wayne was mentioning that there was reasonable definition provided on these parts. But if there is something insufficient in definition, we still stick to BR.' The fixes made in CPS is not because of wrong practice, but the definition allowed ambiguity to an external reader (which gave a sense to external reader that we use something extra that violates BR). _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
