[cabfpub] BRs, EVGLs, and "latest version"

Gervase Markham gerv at mozilla.org
Wed Oct 11 03:10:51 MST 2017


On 09/10/17 13:39, Ryan Sleevi wrote:
> I think it's useful here to distinguish between things which are
> expected and things which are audited. 

But also the source of such expectations and audits. Expectations come
from browser root programs. Audits come from auditors, as required by
browser root programs. Having the BRs directly set version compliance
expectations in this way is, IMO, confusing.

> As has been discussed in the
> Forum for years, the audit criteria naturally lag behind the adoption of
> the BRs - depending on when a ballot is adopted, this can be as short as
> a few months, or as long as a few years.

And I acknowledge that and consider it a feature, not a bug.

> I can think of a number of problems your proposed language would
> introduce, and on that basis, would have difficulty supporting, so it
> might be useful if you could articulate the problem you are trying to solve.

The problem is the muddled lines of authority.

> For example, it seems you might be trying to solve what you view as "the
> CAA problem". 

Well, only in so far as in the CAA case some CAs were worried about
their "non-compliance" showing up on their audit. This change would
eliminate that source of worry (which I think is unfounded in practice,
but I agree the situation is not entirely clear, which is what I want to
fix).

> However, it also seems to be operating on a misguided - and I would
> argue dangerous to the ecosystem - belief that qualified audits
> represent a fatal state.

Not as such, although it is informed by the observation that some
programs might require clean audits. Like I said, I don't think this
change affects what happens in practice; it is a clarification of the
status quo.

Gerv


More information about the Public mailing list