Clarification over how fast we expect implementors to update after an update is issued to BCP195
Both FAPI1Adv and FAPI2SP have an unversioned dependency onto BCP195, which means there’s the potential for a new version of BCP195 to be issued requiring us to make an immediate update to the certification tests and then people immediately failing certification.
This is already an issue as a new BCP195, https://www.rfc-editor.org/rfc/rfc9325.html,
Ideally we would say something about this in the specifications, i.e. something like “As a minimum we expect implementors to become compliant with newly issued versions of BCP195 within 12 months but ideally sooner depending on the nature of the change”, but an alternative would be for the FAPI WG to at least agree a position that the certification team can implement.
Comments (6)
-
reporter -
- changed status to open
The certification team will come back on the Aug. 21 call.
-
- changed component to FAPI2: Security Profile
-
assigned issue to
-
Discussed on the call - to add a note along the lines of the proposed text
-
Forces beyond what standards say will set the update schedule.
-
- changed status to resolved
- Log in to comment
The certification team plans to at least add warnings if the two known bad ciphers are used as per https://gitlab.com/openid/conformance-suite/-/issues/1347