Because it is not necessary. The actual parties involved know what is meant and intended, so adding some ongoing and constant amendment process is counter-productive.
Speaking from personal experience, it is necessary to update these references, because people implementing them have no choice but to follow the letter of the law. I have worked on govt projects where we had to downgrade to an insecure cipher suite to comply with outdated regulations.
Putting on my govt contractor hat, there may be a business opportunity here to set up VMs running Win95/Netscape Communicator for use by all the civil servants looking to comply with the law. Could charge a pretty penny too - it’ll all get budgeted as “Brexit compliance” costs.
> there may be a business opportunity here to set up VMs running Win95/Netscape Communicator for use by all the civil servants looking to comply with the law.
The text quoted in the linked article in no way mandates the use of Netscape Navigator or Mozilla Mail - it merely references them as being widely distributed software capable of using RSA 1024 and SHA-1 (which it does appear to mandate).
> Speaking from personal experience, it is necessary to update these references, because people implementing them have no choice but to follow the letter of the law.
Because there isn't a Big Book of Industry Best Practices everybody can trivially agree to use?
Sometimes they don't exist - who maintains a sufficiently reputable list of safe email clients and web browsers?
Sometimes they exist but they carry some baggage - the FIPS standards for cryptography are probably fine, certainly better than hardcoding a couple of algorithm names, but they're also controlled by a foreign government.
Best practice most likely wasn't good enough back when the original text was written. But yeah, they should have made it a bit more future-proof, and they definitely shouldn't have copy/pasted the text into new treaties 12 years later.
Putting on my govt contractor hat, there may be a business opportunity here to set up VMs running Win95/Netscape Communicator for use by all the civil servants looking to comply with the law. Could charge a pretty penny too - it’ll all get budgeted as “Brexit compliance” costs.