I'm with Jakob on this, but the point is moot because Kathleen chose not to adopt that suggestion. Instead, using "no stipulation" is a SHOULD NOT until we update the root store policy. I would encourage CAs to update their CPSs proactively to comply with this, but there isn't yet a deadline.
- Wayne On Wed, Oct 24, 2018 at 7:25 AM Tim Hollebeek via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > That may be true, but I don't see any upside for using that date. If you > need > to make a minor CPS update in early January for any reason, you now have > additional work. > > I think late December policy changes should be avoided as a general rule. > > -Tim > > > -----Original Message----- > > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org > > > > On Behalf Of Jakob Bohm via dev-security-policy > > Sent: Wednesday, October 24, 2018 9:44 AM > > To: mozilla-dev-security-pol...@lists.mozilla.org > > Cc: Jakob Bohm <jb-mozi...@wisemo.com> > > Subject: Re: What does "No Stipulation" mean, and when is it OK to use > it in > > CP/CPS? > > > > On 24/10/2018 00:08, Tim Hollebeek wrote: > > > I agree with you, but December 31 is a particularly horrible compliance > > deadline. Perhaps January 31? > > > > > > > Note that the requirement applies only to CP/CPS dated after that date. > > So it is really Dec 31 + the time until the CP/CPS is updated for some > other > > reason. This is different than many other policy requirements, and a > > welcome reduction in administrative overhead for all concerned (including > > root programs and relying parties). > > > > For example, it a CA updated their CP/CPS in August 2018 to comply with > > new BRs, and again in May 2019 due to annual review, they need not comply > > until May 2019. > > > > > > > >> -----Original Message----- > > >> From: dev-security-policy > > >> <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Wayne > > >> Thayer via dev-security-policy > > >> Sent: Monday, October 22, 2018 6:00 PM > > >> To: Kathleen Wilson <kwil...@mozilla.com> > > >> Cc: mozilla-dev-security-policy > > >> <mozilla-dev-security-pol...@lists.mozilla.org> > > >> Subject: Re: What does "No Stipulation" mean, and when is it OK to > > >> use it in CP/CPS? > > >> > > >> Having given this some more thought, I suggest the following changes: > > >> > > >> ... > > >> > > >> * Finally, I think we need some effective date for these as required > > practices. > > >> One approach would be to require compliance for any CP/CPS dated > > >> after Dec 31, 2018. > > >> > > >> - Wayne > > >> > > >> On Tue, Oct 23, 2018 at 2:25 AM Kathleen Wilson via > > >> dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > >> > > >>> I have updated the section as follows: > > >>> - Removed the sentence that was trying to limit the use of "No > > >>> Stipulation". Hopefully the clarification about what these words > > >>> mean is sufficient. > > >>> - Added bullet points > > >>> - Added "Sections MUST not be left blank. ..." > > >>> > > >>> > > >>> > > >> https://clicktime.symantec.com/a/1/Xh- > > rJgK1XipLGMs1U1jQtvScEL4FB3RgBJ > > >> dwBJwZeYE=?d=vW4rM0CTwt8BO- > > WkB0mRKJ4JerYClzYhMZEWRTwXeQpnsTE59W7amFJ7 > > >> UBJ2Lqfz4GYYK9b1- > > 861DyJ4DaHeghkm5uPyaLz88lMhRqvIqIqTZA_cIJj019oR2rEK9 > > >> bhkXphYgKSUVtoR8Jv4c4ZyzmC1PwABos85PgNWZUQJmHU- > > PUFpXdUPJHpMF3mizDn82r > > >> > > k0Y2RsTkEa8rivnT6E8_XY2ct_Qb2EyuqdHD5BaiPxVGtBuabizQhhSJTxJOnwKO > > WaoM- > > >> G1uz_LEZUDTl53vgLqwOnLWYb8q3kLP7q7clVFhkAPULAOQGVhob01XI- > > oCmWpmJtDsMG > > >> > > HVzmozw0E1T4208EZyfyv2L2nQKYOsdTwEScupt4ut18MDXpcevjD2CbeA2U9 > > QfVhB_kA > > >> _fCU3vcSLkeOXiJOLq- > > YfSsXuiLvEqqmw4GLGR758pQeOj_rVwNE30jDvfqbbmg&u=htt > > >> > > ps%3A%2F%2Fwiki.mozilla.org%2FCA%2FRequired_or_Recommended_Pract > > ices% > > >> 23CP.2FCPS > > >>> _Structured_According_to_RFC_3647 > > >>> > > >>> > > >>> I continue to appreciate your feedback on this new section. > > >>> > > > > > > Enjoy > > > > Jakob > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy