The CAB Forum's EV guidelines include the Baseline Requirements.
Likewise, the WebTrust EV audit criteria includes the Baseline
Requirements audit criteria. So, I have been asked to make the following
clarification.
In
https://wiki.mozilla.org/CA:BaselineRequirements#WebTrust_BR_Audit_Statement
I propose adding the following text:
--
If the root certificate is enabled for EV treatment, then the following
three public-facing audit statements are required annually:
1. WebTrust CA -- WebTrust Principles and Criteria for Certification
Authorities
2. WebTrust BR -- WebTrust Principles and Criteria for Certification
Authorities – SSL Baseline with Network Security (or Principles and
Criteria - SSL Baseline Requirements)
3. WebTrust EV -- WebTrust Principles and Criteria for Certification
Authorities – Extended Validation SSL (or Principles and Criteria for
Certification Authorities – Extended Validation Audit Criteria)
However, if the CA hierarchy can only be used for EV certificates, and
the CP/CPS clearly states this, then a separate WebTrust BR audit
statement is not needed because it is encompassed within the WebTrust EV
audit. In other words, the WebTrust EV audit statement will also suffice
as the WebTrust BR audit statement.
--
I will appreciate constructive feedback on this proposal.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
