[cabfpub] BRs, EVGLs, and "latest version"

Ben Wilson ben.wilson at digicert.com
Fri Oct 6 16:26:12 UTC 2017

Would all of the browsers need to adopt some type of statement to the effect
that "all CAs are expected to comply with the most recent version of the
Baseline Requirements and EV Guidelines?  It seems you are just moving the
statement/requirement from one place to another?

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
Markham via Public
Sent: Friday, October 6, 2017 10:08 AM
To: CABFPub <public at cabforum.org>
Subject: [cabfpub] BRs, EVGLs, and "latest version"

During the CAB Forum face-to-face in Taipei, it was noted that the BRs
currently state something which implies something which is not true in

In section 2, they say:

"The CA SHALL develop, implement, enforce, and annually update a Certificate
Policy and/or Certification Practice Statement that describes in detail how
the CA implements the latest version of these Requirements."

There are similar statements in sections 2.2 and 2.3 (not sure why it needed
to be said 3 times). And there's one for EV in section 8.3 of the EVGLs. So,
according to the documents, when you say you are conforming to a particular
version, you should actually be conforming to the latest version.

The problem is that this is not how audits work. When a CA is given a BR
audit, they are not audited to the latest version. They are audited to the
version which has been translated into audit criteria in whatever version of
the criteria are in use - e.g. for WebTrust for BRs 2.2 (the current
version), that would be BRs 1.4.2[0]. The auditors present confirmed that
they do not, in fact, audit to the latest version, as the documents suggest
they do. This lag (some months, these days) could be considered a feature,
not a bug; it allows us to "debug" bits of the BRs before they get fixed
into audit criteria.

It is undoubtedly, from my perspective, a good thing that CAs are required
to conform to the latest version of the BRs and EVGLs. That's why Mozilla
Policy 2.5 says in section 2.3:

"CA operations relating to issuance of certificates capable of being used
for SSL-enabled servers MUST also conform to the latest version of the
CA/Browser Forum Baseline Requirements for the Issuance and Management of
Publicly-Trusted Certificates ("Baseline Requirements")."

There's a similar statement for EV in Mozilla Policy 2.5 section 2.2.4.

Therefore, removing the "latest version" statements from the BRs and EVGLs
would not change the obligations on CAs to actually conform to the latest
version, but would make it much more clear where that obligation comes from
(root program requirements) and make it much more clear what auditors do
(audit to the version of the BRs they have encoded in their audit criteria).
It means that if/when root programs give a BR dispensation for something in
the BRs of a version later than the audited version, there is no risk at all
that anyone will be concerned that the discrepancy will nevertheless show up
in their audit.

So my suggestion is that we pass a motion removing that language.

Any objections?


[0] http://www.webtrust.org/principles-and-criteria/docs/item83987.pdf
Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171006/7dca8d5f/attachment-0003.p7s>

More information about the Public mailing list