Would all of the browsers need to adopt some type of statement to the effect that "all CAs are expected to comply with the most recent version of the Baseline Requirements and EV Guidelines? It seems you are just moving the statement/requirement from one place to another?
-----Original Message----- From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Gervase Markham via Public Sent: Friday, October 6, 2017 10:08 AM To: CABFPub <public@cabforum.org> Subject: [cabfpub] BRs, EVGLs, and "latest version" During the CAB Forum face-to-face in Taipei, it was noted that the BRs currently state something which implies something which is not true in practice. In section 2, they say: "The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements." There are similar statements in sections 2.2 and 2.3 (not sure why it needed to be said 3 times). And there's one for EV in section 8.3 of the EVGLs. So, according to the documents, when you say you are conforming to a particular version, you should actually be conforming to the latest version. The problem is that this is not how audits work. When a CA is given a BR audit, they are not audited to the latest version. They are audited to the version which has been translated into audit criteria in whatever version of the criteria are in use - e.g. for WebTrust for BRs 2.2 (the current version), that would be BRs 1.4.2[0]. The auditors present confirmed that they do not, in fact, audit to the latest version, as the documents suggest they do. This lag (some months, these days) could be considered a feature, not a bug; it allows us to "debug" bits of the BRs before they get fixed into audit criteria. It is undoubtedly, from my perspective, a good thing that CAs are required to conform to the latest version of the BRs and EVGLs. That's why Mozilla Policy 2.5 says in section 2.3: "CA operations relating to issuance of certificates capable of being used for SSL-enabled servers MUST also conform to the latest version of the CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates ("Baseline Requirements")." There's a similar statement for EV in Mozilla Policy 2.5 section 2.2.4. Therefore, removing the "latest version" statements from the BRs and EVGLs would not change the obligations on CAs to actually conform to the latest version, but would make it much more clear where that obligation comes from (root program requirements) and make it much more clear what auditors do (audit to the version of the BRs they have encoded in their audit criteria). It means that if/when root programs give a BR dispensation for something in the BRs of a version later than the audited version, there is no risk at all that anyone will be concerned that the discrepancy will nevertheless show up in their audit. So my suggestion is that we pass a motion removing that language. Any objections? Gerv [0] http://www.webtrust.org/principles-and-criteria/docs/item83987.pdf _______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public