On Tue, August 26, 2014 11:35 am, Kathleen Wilson wrote: > All, > > I am running into a problem with BR audit statements that list details > about issues that have been found. > > https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Baseline_Requirements > "...The first BR audit for each CA and subCA may include a reasonable > list of BRs that the CA (or subCA) is not yet in compliance with. ..." > > The problem is that some BR audit statements provide information about > the CA's BR non-conformance that the CA considers to be sensitive (and > non-publishable) information.
How can the public evaluate that root's conformance to Mozilla's stated policies? If the information presented to the public is one set, but the information presented to Mozilla or the Auditor is a different, how does that inspire confidence in the conformance? I think we've seen enough regular issues where either the Baseline Requirements or Mozilla's requirements were not adhered to in matters both procedural and security, and so matters such as the Baseline Requirements seem even more significant. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
