<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 6, 2017 at 12:07 PM, Gervase Markham via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">During the CAB Forum face-to-face in Taipei, it was noted that the BRs<br>
currently state something which implies something which is not true in<br>
practice.<br></blockquote><div><br></div><div>Gerv,</div><div><br></div><div>I think it's useful here to distinguish between things which are expected and things which are audited. As has been discussed in the Forum for years, the audit criteria naturally lag behind the adoption of the BRs - depending on when a ballot is adopted, this can be as short as a few months, or as long as a few years.</div><div><br></div><div>I can think of a number of problems your proposed language would introduce, and on that basis, would have difficulty supporting, so it might be useful if you could articulate the problem you are trying to solve.</div><div><br></div><div>For example, it seems you might be trying to solve what you view as "the CAA problem". However, I think it's worth noting that the CAA problem was self-inflicted - the Forum had been discussing CAA since 2012, had specifically been concerned about potential gotchas and thus introduced the simple mandate to require disclosing CAA practices (allowing CAs to gain experience with CAA without any risk of BR violations, by virtue of allowing CP/CPS flexibility), and then put a CAA requirement 6 months in advance of the actual deadline. The issues only manifest because a "deadline" was taken as an "implementation date" - that is, all of the flexibility was rejected and deprioritized by CAs, and they waited until the last minute.</div><div><br></div><div>However, it also seems to be operating on a misguided - and I would argue dangerous to the ecosystem - belief that qualified audits represent a fatal state. We know, through similar lengthy discussions in the Forum on the nature of audits, that not every failure necessarily represents a qualification (as it relies on the auditor's opinion as well as the nature of the principles and criteria), but we also know that disclosure through audit is far better for the ecosystem than relentlessly chasing a 'clean' audit. Indeed, Mozilla's own efforts have been to underscore that point - that a qualified audit is not fatal - so I admit, it seems somewhat surprising to see you suggest undermining both security and the quality of audits in pursuit of unqualified audits.</div><div><br></div><div>Could you elaborate on whether there are goals or context that I have missed - and the relative value of those goals compared to the ecosystem value? In doing so, I'd be happy to elaborate how your proposal would result in less security and less transparency, and the ways in which it could be gamed or unintentionally overlooked, in a way that would be detrimental to the ecosystem.</div><div><br>Best,</div><div>Ryan</div></div></div></div>