On 8/26/14, 12:10 PM, Peter Bowen wrote:
Could you publish a list of BR section numbers which one or more CA is
saying they do not yet comply with, not including any CA names? That
would help determine the scope of the request and provide some
guidance on the possible impact of the non-compliance without calling
out any specific CA(s).
Collected from BR audit statements from multiple CAs...
BR 9.5 – 1024-bit certs with validity beyond 2013 (in order to support
legacy customer apps)
BR 13.2.6 - OCSP giving status “good” for unknown serial numbers.
BR 16.5 - multi-factor authentication for *all* accounts capable of
directly causing certificate issuance
BR 17.5 - The audit period for the Delegated Third Party SHALL NOT
exceed one year
BR 17.8 – audits on at least a quarterly basis against a randomly
selected sample of the greater of one certificate or *at least three
percent* of the Certificates issued by it during the period commencing
immediately after the previous self-audit sample was taken
BR 11.2 – re-verifying identity for cert renewal requests
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
