On 28/01/15 22:49, Kathleen Wilson wrote: > I have been asked if a CA can have their Webtrust audit statement > indicate their commitment to comply with the BRs, rather than putting > the commitment to comply statement in the CP/CPS.
> Here are the reason: > > 1) We are not a member of CAB/Forum and do not have any mutual agreement > that can bind the obligations and responsibilities of both parties. It > seems that the BR keeps changing very often. This seems like a non-sequitur. They are not refusing to comply, they just want to change the location of the compliance statement. So why is their lack of membership, or the rate of change, relevant? Or are they basically saying they do not wish to be bound by the latest version of the BRs, but only by the version current at the time of their last audit? If so, I'd say No. Mozilla expects all CAs in our program, whether CAB Forum members or not, to comply with the latest version of the BRs (taking into account any phase-in periods given in resolutions to adopt new measures). Inability to do this might be considered indicative of deeper problems at the CA. It may be true that we can only have the compliance of a particular CA checked formally once a year at audit time, but we still expect ongoing compliance, and reserve the right to use other methods of checking it (such as examining issued certificates). > 2) The requirement of BR section 8.3 is quite weird as there is no such > requirement in other audit criteria such as WebTrust. Would it be a > marketing requirement rather than a technical requirement? A commitment in the CA's official documents to conform to the BRs is merely stating what should be required by Mozilla root program membership anyway. So it shouldn't be a problem. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
