Mozilla Policy 2.9, section 3.1.4 and CCADB policy section 5.1

438 views
Skip to first unread message

Tim Hollebeek

unread,
Aug 17, 2023, 3:38:53 PM8/17/23
to dev-secur...@mozilla.org

 

This is extremely nitpicky and in the weeds, so excuse me, but …

 

It has been pointed out internally that the draft 2.9 Mozilla policy includes a normative reference in section 3.1.4 to CCADB policy section 5.1, without specifying a version.

 

The has the practical effect of meaning that CCADB Policy updates to section 5.1 could happen at any time, and CAs are expected to comply immediately with no transition period.  This seems extremely dangerous, unintended, and likely to end badly.

 

I’m not sure what the best fix is.  Requirements that reference external documents that can change at any time are always very tricky to handle in a good way.

 

-Tim

Aaron Poulsen

unread,
Aug 18, 2023, 4:57:13 PM8/18/23
to dev-secur...@mozilla.org, Tim Hollebeek
I do not feel this point it nitpicky. Externally-referenced documents increase the compliance burden on CAs (and organizations, in general) and introduce unnecessary complexity. Specifying a version is helpful, but we will also need to ensure prior versions of policies are easily accessible and from an authoritative source. CCADB does not currently offer prior versions of policies on its site, at least as far as I can see, but that's where I would expect to see archived policies.

Ideally, the referenced text would be pulled into the referencing policy directly to ensure the requirement is unambiguous. Also, to Tim's point, a statement should be included on when changes to the referenced policy become enforceable to avoid any assumptions by either party.

Cheers,
AP

Reply all
Reply to author
Forward
0 new messages