On Tue, Aug 26, 2014 at 11:35 AM, Kathleen Wilson <[email protected]> wrote: > I am running into a problem with BR audit statements that list details about > issues that have been found. > > https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Baseline_Requirements > "...The first BR audit for each CA and subCA may include a reasonable list > of BRs that the CA (or subCA) is not yet in compliance with. ..." > > The problem is that some BR audit statements provide information about the > CA's BR non-conformance that the CA considers to be sensitive (and > non-publishable) information.
Without any concrete data on the scope of the items that are not yet in compliance it is hard to make judgements. > In the spreadsheet of included roots, I could add a column to list BR > section numbers that were in the redacted information. Could you publish a list of BR section numbers which one or more CA is saying they do not yet comply with, not including any CA names? That would help determine the scope of the request and provide some guidance on the possible impact of the non-compliance without calling out any specific CA(s). Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
