On 8/19/14, 5:37 PM, Kathleen Wilson wrote:
All,
I started a new wiki page to document Mozilla's expectations regarding
CA compliance with the BRs, and auditing according to the BRs.
https://wiki.mozilla.org/CA:BaselineRequirements
It is a very rough draft, but I would appreciate feedback on it.
Thanks,
Kathleen
Regarding Whole-Population BR Audit of Intermediate Certs, since the BRs
are for SSL certs, this should probably only apply to intermediate certs
that are capable of issuing SSL certs.
Regarding auditing for things in RFC 5280...
There are things in RFC 5280 (such as duplicate serial numbers) that
aren't stated in the BRs. So, does the CAB Forum need to add important
requirements from RFC 5280 to the BRs, so they get added to the BR audit
criteria?
Why I ask...
It is my understanding that when an auditor performs a BR audit, she
will follow a BR audit criteria such as the WebTrust BR audit criteria
or the ETSI TS 102 042 PTC-BR criteria. For the requirements that are
explicitly defined in the BR audit criteria, the auditor will examine
the technical settings and sampled certificates to check for those
things. For things that are not explicitly defined in BR audit criteria,
the auditor may use some less strict audit procedures such as asking CA
personnel or reviewing the CP/CPS to check for those things.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy