[cabfpub] BRs, EVGLs, and "latest version"

Gervase Markham gerv at mozilla.org
Fri Oct 6 09:07:47 MST 2017

During the CAB Forum face-to-face in Taipei, it was noted that the BRs
currently state something which implies something which is not true in

In section 2, they say:

"The CA SHALL develop, implement, enforce, and annually update a
Certificate Policy and/or Certification Practice Statement that
describes in detail how the CA implements the latest version of these

There are similar statements in sections 2.2 and 2.3 (not sure why it
needed to be said 3 times). And there's one for EV in section 8.3 of the
EVGLs. So, according to the documents, when you say you are conforming
to a particular version, you should actually be conforming to the latest

The problem is that this is not how audits work. When a CA is given a BR
audit, they are not audited to the latest version. They are audited to
the version which has been translated into audit criteria in whatever
version of the criteria are in use - e.g. for WebTrust for BRs 2.2 (the
current version), that would be BRs 1.4.2[0]. The auditors present
confirmed that they do not, in fact, audit to the latest version, as the
documents suggest they do. This lag (some months, these days) could be
considered a feature, not a bug; it allows us to "debug" bits of the BRs
before they get fixed into audit criteria.

It is undoubtedly, from my perspective, a good thing that CAs are
required to conform to the latest version of the BRs and EVGLs. That's
why Mozilla Policy 2.5 says in section 2.3:

"CA operations relating to issuance of certificates capable of being
used for SSL-enabled servers MUST also conform to the latest version of
the CA/Browser Forum Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates ("Baseline Requirements")."

There's a similar statement for EV in Mozilla Policy 2.5 section 2.2.4.

Therefore, removing the "latest version" statements from the BRs and
EVGLs would not change the obligations on CAs to actually conform to the
latest version, but would make it much more clear where that obligation
comes from (root program requirements) and make it much more clear what
auditors do (audit to the version of the BRs they have encoded in their
audit criteria). It means that if/when root programs give a BR
dispensation for something in the BRs of a version later than the
audited version, there is no risk at all that anyone will be concerned
that the discrepancy will nevertheless show up in their audit.

So my suggestion is that we pass a motion removing that language.

Any objections?


[0] http://www.webtrust.org/principles-and-criteria/docs/item83987.pdf

More information about the Public mailing list