Hi Kathleen, On Wed, Jan 28, 2015 at 02:49:22PM -0800, Kathleen Wilson wrote: > https://wiki.mozilla.org/CA:BaselineRequirements > Currently says: "The CA's CP or CPS documents must include a commitment to > comply with the BRs, as described in BR section 8.3." > > I have been asked if a CA can have their Webtrust audit statement indicate > their commitment to comply with the BRs, rather than putting the commitment > to comply statement in the CP/CPS.
None of the reasons given for failing to assert a commitment to comply with the CAB Forum BRs are persuasive to me. I'd like to re-emphasise Jeremy's point that a CA which can't remain flexible enough to keep abreast of the gradual pace of change of the BRs cannot, IMO, be trusted to deal with a large-scale security problem which could happen at any time. It isn't even a reasonable argument that the BRs could change unexpectedly -- all CAB Forum actions are done in public (literally), so a CA which isn't a member of the Forum can keep an eye on what's being considered. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
