On 3/4/14, 8:00 AM, Rich Smith wrote:
On Mon, Mar 3, 2014 at 8:33 PM, Kathleen Wilson wrote:
For those CA who have done the compliance with the Baseline Requirements
for the first time, will your root certificate program accept a
point-in-time readiness assessment audit against the WebTrust Baseline
Requirements Program?
Lacking full information, I assume this means that as a new CA, they have no
(or very little) issued track record of BR compliant certificates upon which
to base a full compliance audit, so are asking if a point in time readiness
assessment of BR compliance is sufficient. If my assumption of the
situation is correct, it seems a reasonable request.
Yes, your assumption is correct.
Accepting a point-in-time BR audit from a new CA means that the
previously issued certs that are still valid may be non-compliant with
the BRs in worse ways than not having an OCSP URI in the AIA. However,
the same could be true of the CAs currently in Mozilla's program who
issued long-lived certs before the BRs went into effect.
Of course, a full WebTrust CA or ETSI TS 102 042 audit is required
before a CA's inclusion request may be considered (when they are asking
for the websites trust bit to be enabled).
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
