On Tue, Aug 26, 2014 at 1:09 PM, Kathleen Wilson <[email protected]> wrote:
> BR 9.5 – 1024-bit certs with validity beyond 2013 (in order to support > legacy customer apps) > > BR 13.2.6 - OCSP giving status “good” for unknown serial numbers. > > BR 16.5 - multi-factor authentication for *all* accounts capable of directly > causing certificate issuance > > BR 17.5 - The audit period for the Delegated Third Party SHALL NOT exceed > one year > > BR 17.8 – audits on at least a quarterly basis against a randomly selected > sample of the greater of one certificate or *at least three percent* of the > Certificates issued by it during the period commencing immediately after the > previous self-audit sample was taken > > BR 11.2 – re-verifying identity for cert renewal requests It is a bad idea to censor these highly relevant facts. These are the baseline requirements for a company to be trusted by the entire planet. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
