Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On Thu, Oct 25, 2018 at 10:11 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 26/10/2018 01:13, Ryan Sleevi wrote: > > On Thu, Oct 25, 2018 at 5:47 PM Jakob Bohm via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> On

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On Thu, Oct 25, 2018 at 5:47 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 25/10/2018 23:10, Wayne Thayer wrote: > > On Thu, Oct 25, 2018 at 11:17 AM Joanna Fox via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >>

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On 25/10/2018 23:10, Wayne Thayer wrote: On Thu, Oct 25, 2018 at 11:17 AM Joanna Fox via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Questions about blank sections, thinking of a potential future requirement. Sections such as 1.INTRODUCTION would remain blank as they

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On Thu, Oct 25, 2018 at 11:17 AM Joanna Fox via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Questions about blank sections, thinking of a potential future > requirement. Sections such as 1.INTRODUCTION would remain blank as they are > more titles than components,

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

Questions about blank sections, thinking of a potential future requirement. Sections such as 1.INTRODUCTION would remain blank as they are more titles than components, correct? If no sections are allowed to be blank does this include both levels of components such as 1.4 and 1.4.1? Also,

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

I'm with Jakob on this, but the point is moot because Kathleen chose not to adopt that suggestion. Instead, using "no stipulation" is a SHOULD NOT until we update the root store policy. I would encourage CAs to update their CPSs proactively to comply with this, but there isn't yet a deadline. -

RE: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

That may be true, but I don't see any upside for using that date. If you need to make a minor CPS update in early January for any reason, you now have additional work. I think late December policy changes should be avoided as a general rule. -Tim > -Original Message- > From:

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On 24/10/2018 00:08, Tim Hollebeek wrote: I agree with you, but December 31 is a particularly horrible compliance deadline. Perhaps January 31? Note that the requirement applies only to CP/CPS dated after that date. So it is really Dec 31 + the time until the CP/CPS is updated for some

RE: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

I agree with you, but December 31 is a particularly horrible compliance deadline. Perhaps January 31? -Tim > -Original Message- > From: dev-security-policy On > Behalf Of Wayne Thayer via dev-security-policy > Sent: Monday, October 22, 2018 6:00 PM > To: Kathleen Wilson > Cc:

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

I have updated this section in the wiki page again as follows: - Changed the word 'must' to 'should' for items that are not currently in Mozilla's Root Store Policy or the BRs. We plan to change these back to 'must' after Wayne updates Mozilla's Root Store Policy regarding this topic. - Added

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

Having given this some more thought, I suggest the following changes: * Forbid "no stipulation" altogether. While there are a few sections where it would be convenient to use "No stipulation" (e.g. 4.2.3 Time to Process Certificate Applications), I don't see a requirement for more descriptive

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

I have updated the section as follows: - Removed the sentence that was trying to limit the use of "No Stipulation". Hopefully the clarification about what these words mean is sufficient. - Added bullet points - Added "Sections MUST not be left blank. ..."

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

I’m not sure that is at all an accurate representation - of the discussions or of the practiced use of “no stipulation.” The use of “minimal CPS” is highly desirable from an audit and documentation practice. The concerns raised during such discussions are the concerns captured here originally -

RE: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

I think blank sections should be disallowed. The entire purpose of "No stipulation" is to make it clear that the omission of content was intentional. With regards to some of these sections being useful, I agree that a good CPS contains more than the minimum content required from the BRs. I

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On Thursday, October 18, 2018 at 5:47:14 PM UTC-7, Jakob Bohm wrote: > On 15/10/2018 20:01, Kathleen Wilson wrote: > > I have added the following section to the Required Practices wiki page: > > > >

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On 15/10/2018 20:01, Kathleen Wilson wrote: I have added the following section to the Required Practices wiki page: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#BR_Commitment_to_Comply_statement_in_CP.2FCPS I will continue to appreciate feedback on this update. Thanks,

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On Thu, Oct 18, 2018 at 03:44:44PM -0700, Kathleen Wilson via dev-security-policy wrote: > I think that a blank section means the same thing as "No stipulation". > Should we require that sections not be left blank? I think that for the avoidance of any sort of doubt or confusion, it would be

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On 10/18/18 2:03 PM, Joanna Fox wrote: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Structured_According_to_RFC_3647 For clarification on this statement, "Any CPS that falls within the scope of Mozilla’s program must not use the words “No stipulation” unless the

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On Monday, October 15, 2018 at 11:23:05 AM UTC-7, Kathleen Wilson wrote: > On 10/15/18 11:01 AM, Kathleen Wilson wrote: > > I have added the following section to the Required Practices wiki page: > > > >

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On 10/15/18 11:01 AM, Kathleen Wilson wrote: I have added the following section to the Required Practices wiki page: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#BR_Commitment_to_Comply_statement_in_CP.2FCPS I will continue to appreciate feedback on this update. Thanks,

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On 15/10/2018 20:01, Kathleen Wilson wrote: I have added the following section to the Required Practices wiki page: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#BR_Commitment_to_Comply_statement_in_CP.2FCPS

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

I have added the following section to the Required Practices wiki page: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#BR_Commitment_to_Comply_statement_in_CP.2FCPS I will continue to appreciate feedback on this update. Thanks, Kathleen

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On 10/15/18 12:48 AM, Pedro Fuentes wrote: Hello, I've a question closely related to this. I'd appreciate guidance. I'm refactoring our CP & CPS documents considering that a CA can issue different types of certificates, so there would be multiple CP and one CPS. My strategy is that if the

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

Hello, I've a question closely related to this. I'd appreciate guidance. I'm refactoring our CP & CPS documents considering that a CA can issue different types of certificates, so there would be multiple CP and one CPS. My strategy is that if the stipulation is defined in one of the document

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

Based on the input into this discussion so far, I propose to add the following section to the Required part of this wiki page: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices We can consider adding text about this directly to Mozilla's Root Store Policy later. (I'll file the

RE: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS

I think "Not applicable" would be superior to "No stipulation", when appropriate. "3.2.2.5. No IP address certificates are issued under this CPS." is even clearer. I haven't looked into the implications of this, but perhaps it would be worth considering not allowing "No stipulation" in CPSs

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS

On 09/10/2018 23:15, Wayne Thayer wrote: On Tue, Oct 9, 2018 at 12:48 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Oh, so rather than trying to define what "No Stipulation" means and when it can be used, we could take a different approach -- list

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS

On Tue, Oct 9, 2018 at 12:48 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Oh, so rather than trying to define what "No Stipulation" means and when > it can be used, we could take a different approach -- list the sections > that cannot contain "No

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS

Oh, so rather than trying to define what "No Stipulation" means and when it can be used, we could take a different approach -- list the sections that cannot contain "No Stipulation" in the CPS. On 10/9/18 12:31 PM, Brown, Wendy (10421) wrote: Tim - I think that statement leaves out the

RE: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS

Tim - I think that statement leaves out the next paragraph of RFC3647: In a CP, it is possible to leave certain components, subcomponents, and/or elements unspecified, and to stipulate that the required information will be indicated in a policy qualifier, or the document to which a policy

RE: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

RFC 3647 disagrees: "Rather, a particular CP or CPS may state "no stipulation" for a component, subcomponent, or element on which the particular CP or CPS imposes no requirements or makes no disclosure." " It is recommended that each and every component and subcomponent be included in a CP

RE: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

Kathleen - My interpretation of a "No Stipulation" in a CP is that the Policy has "No rules defined for this section" In these cases, I expect the CPS to state what is actually done in support of that section and therefore "No Stipulation" is not appropriate in a CPS. The CPS should instead

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

The legal definition that I came acrosss is " In United States law, a stipulation is a formal legal acknowledgment and agreement made between opposing parties before a pending hearing or