I've initiated a CAB Forum ballot [1] to resolve the inconsistency that Rob identified.
I also want to acknowledge the feedback from Google on the timing of this. I can appreciate the framing of this as a new policy that's been added without due process, but I view this as a clarification of existing requirements. Some CAs have already been held accountable for this requirement [2] and some that have been paying close attention adhere to it. Others were struggling to determine what to do. Under these circumstances, it made no sense to me to roll back the policy, so the only reasonable course was to clarify it in favor of the consensus that emerged from this thread. I'm still open to making changes to our "required practice" on precertificates, but having caught up on the thread I don't think any further changes are necessary. - Wayne [1] https://cabforum.org/pipermail/servercert-wg/2019-September/001111.html [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1551390 [3] https://groups.google.com/d/msg/mozilla.dev.security.policy/PYIAoh6W6x0/R0gr1d6wBQAJ On Wed, Sep 25, 2019 at 3:59 AM Clint Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy