On 16/06/15 02:54, Peter Bowen wrote:
> First, the policy says "All disclosure MUST be made freely available and
> without additional requirements, including, but not limited to,
> registration, legal agreements, or restrictions on redistribution of the
> certificates in whole or in part."
>
> If I read this very strictly, then all the items being disclosed have to
> essentially be public domain (Creative Commons Public Domain Declaration
> or similar), as most any license places requirements on redistribution.
> However I don't think that is probably the intent of the requirement.
> Is there a list of what restrictions are acceptable or unacceptable?
We are currently trying to work this out in the context of the CAB
Forum. My current proposal is that we require CAs to provide their
documentation (CP and CPS) under any Creative Commons license which does
not include "NonCommercial". In other words, CC-BY, CC-BY-SA or CC-BY-ND.
I would commend either of the first two, but CC-BY-ND is allowed for CAs
who do not wish others to make derivative works of their documentation.
> I'm not clear on what Mozilla expects here when standing up a new
> subordinate and disclosing it for the first time. Assuming the operator
> has an audit program in place, it is possible that it will be 12+ months
> until they have an opinion from their auditor that calls out the new
> subordinate (11 months to complete the current period plus up to 60 days
> to get opinion). Does the operator just provide a link to their current
> audit opinion and a statement that the new certificate will be included
> in the audit program?
This one's a question for Kathleen :-)
Gerv