On 8/26/14, 1:14 PM, Chris Palmer wrote:
On Tue, Aug 26, 2014 at 1:09 PM, Kathleen Wilson <kwil...@mozilla.com> wrote:
BR 9.5 – 1024-bit certs with validity beyond 2013 (in order to support
legacy customer apps)
BR 13.2.6 - OCSP giving status “good” for unknown serial numbers.
BR 16.5 - multi-factor authentication for *all* accounts capable of directly
causing certificate issuance
BR 17.5 - The audit period for the Delegated Third Party SHALL NOT exceed
one year
BR 17.8 – audits on at least a quarterly basis against a randomly selected
sample of the greater of one certificate or *at least three percent* of the
Certificates issued by it during the period commencing immediately after the
previous self-audit sample was taken
BR 11.2 – re-verifying identity for cert renewal requests
It is a bad idea to censor these highly relevant facts.
These are the baseline requirements for a company to be trusted by the
entire planet.
This is the level of information I could list for each CA who had a
redacted section in their BR audit.
The problem is that the BR audit statements have further details that
the CAs do not want published.
I'm just exploring how to get past the current situation of CAs not
being able to provide public-facing BR audit statements for their first
full-year BR audit.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy