On Mon, Jan 16, 2017 at 3:30 AM, Gervase Markham <
ge...@mozilla.org> wrote:
> On 13/01/17 01:56, Ryan Sleevi wrote:
>> Notably, 1.3.7 also has IP encumbrances - and uncertainty - the same
>> as 1.4.1, so presumably, Mozilla is OK with having encumbered methods
>> included. Considering some of these exclusions have existed since the
>> BR's adoption, that doesn't seem an unreasonable conclusion.
>
> This is a fair point, to a degree. IP issues with the documented methods
> are not avoided just because they are documented in a document which
> existed before the disclosures were finally properly filed.
>
>> So what's the difference between 1.3.7 and 1.4.1?
>> - A few methods were introduced which may or may not be encumbered
>> - The ability for the CA to select anything they want to argue is
>> equivalent is removed
>>
>> I would presume that your contention with 139 is not because new
>> methods were (potentially) encumbered, but on the basis that it
>> removes the any other method.
>
> Yes, I think that's more it. I was nervous about removing that "escape
> hatch" for CAs before the IPR questions were more fully settled.
>
>> Given that there are other methods
>> available (as reaffirmed by Ballot 181) that have no encumbrances by
>> CA/B Forum members, and given that potentially *any or all* of the
>> methods used may be encumbered by non-Forum members (who have no
>> obligation to disclose), it does not seem that it creates any new
>> meaningful risk for Mozilla to impose 1.4.1 upon CAs.
>
> It's true that the passing of 181, which had not happened when I
> prepared my original thoughts for this Github issue, does clarify
> matters. And it includes at least one 'unencumbered' automatable method.
>
>> Given that you can always revisit it if a CA can provide demonstrable
>> evidence of concern and proposed alternatives, without waiting on the
>> CA/Browser Forum, I'd like to encourage you that 1.4.1 is no worse
>> than 1.3.7, either technically or from an IP encumbrance perspective,
>> but is significantly and substantially better.
>
It depends on what your view is with respect to the 'minimum' version
that is required under the existing Mozilla Policy.
BRs 1.3.0 (
https://cabforum.org/wp-content/uploads/CAB-Forum-BR-1.3.0.pdf
) already include the clause (in Section 2.2) that:
"The CA SHALL publicly give effect to these Requirements and represent
that it will adhere to the latest published version."
So despite Mozilla Policy requiring 1.3.0, up until the passage of
Ballots 180/181, CAs were already on the hook and expected to comply
with the BRs 1.4.1 - meaning implementing the methods of Ballot 169 by
1 March 2017.
Up until the questions by Apple in the Forum, there had not been any
debate or disagreement about what the 'latest published version' was,
either within the Forum or within mozilla.dev.security.policy. It's
unclear whether Mozilla shares Apple's interpretation about the
legitimacy of all versions of the BRs prior to 1.4.2, but based on
your replies, it does not seem you agree on substance. That is, BRs
1.3.0 were/are a valid version of the BRs, at least within the spirit
and intent of the Mozilla policy, and so too by that logic are
versions 1.3.7, 1.4.1, and 1.4.2, which were passed in the same
manner.
I mention all of this to highlight that, up until the passage of
Ballots 180/181, and the adoption of 1.4.2, Mozilla Policy was already
requiring that CAs comply with 169 by 1 March 2017, by virtue of
Section 2.2. If Mozilla agrees that Ballot 169 is still valuable, then
it seems something that can be simply be done as a CA communication
prior to/independent of the adoption of Mozilla Policy 2.4, and it
seems that the reference to a specific version in Policy 2.4 is
perhaps superflous, so long as the Section 2.2 remains in force in the
BRs.
Nothing in Ballot 169 would inherently contradict the text in Ballots
180/181. However, a CA conforming only to the BRs 1.4.2 would not be
sufficient, as Mozilla would simply communicate the above-and-beyond
expectation (using a CA communication), and then include it in the set
of updates for Policy 2.4 if the Forum hasn't already resolved the
issue(s) by then. But if your concern is that CAs haven't had time or
a clear communication about what's expected of them, hopefully Section
2.2 shows that they have (up until Jan 7 of this year).