> However I still hold out some hope that the current proposal could be > workable. I'm sorry if I missed it in the thread or bug, what is the > rationale that a "AC FNMT Usuarios" doesn't require an ongoing WebTrust SSL > BRs audit? > Hi Andrew.
As specified at CABForum Baseline Requirements documents, these requirements only address certificates intended to be used for autenticating servers accessible through Internet. Notice that "AC FNMT Usuarios" issues qualified certificates for natural persons (citizens). Therefore, it can't be audited conforming BR requirements because we don't issue SSL certs with this subCA (in fact, we have technical configuration restrictions to prevent SSL certs issuing). As I mentioned, "AC FNMT Usuarios" only issues "qualified certificates" where ETSI 101 456 audit criteria applies. Nevertheless, because this subordinate CA don't have the EKU extension, according to "CA:BaselineRequirements" document at mozilla wiki, "AC FNMT Usuarios" is "in scope" and it's necessary to perform "procedures to confirm that there are no SSL certificates". Best Regards, Rafa _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
