All,
https://wiki.mozilla.org/CA:BaselineRequirements
Currently says: "The CA's CP or CPS documents must include a commitment
to comply with the BRs, as described in BR section 8.3."
I have been asked if a CA can have their Webtrust audit statement
indicate their commitment to comply with the BRs, rather than putting
the commitment to comply statement in the CP/CPS.
Here are the reason:
1) We are not a member of CAB/Forum and do not have any mutual agreement
that can bind the obligations and responsibilities of both parties. It
seems that the BR keeps changing very often.
2) The requirement of BR section 8.3 is quite weird as there is no such
requirement in other audit criteria such as WebTrust. Would it be a
marketing requirement rather than a technical requirement?
3) Further to (1) above, the proposed statement in BR section 8.3 also
requires CA to adhere to the latest published version. But nobody can
assure compliance with it all the time. Even if a particular version
number could be stated, practically it'll take quite a long time to
modify our CPS just due to some minor changes in BR by CAB/Forum.
4) On the other hand, since CAs are required to perform Webtrust audit
annually anyway, it seems more appropriate for the Webtrust audit
statement to disclose which version of BR that the CA adhere to.
I will appreciate your thoughtful and constructive suggestions about this.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
