On 05/12/16 21:10, Wen-Cheng Wang wrote: > I mean BR Audit is specifically for CAs that provide SSL > certificates. Therefore, it is not possible to conduct on those > subordinate CAs that do not provide SSL certificates,
AIUI, that's not actually true. As we found out recently when discussing another CA whose name escapes me, it's possible to include a subordinate CA in an audit even if it's not issuing any certificates. > As for how to make sure policies and practices of all our CAs fall > under Mozilla's root policy, every time we received Kathleen's > notification about the revision of Mozilla's root policy, we reviewed > our CP of the Government PKI and CPSs of all CAs seriously. If > necessary, we will make amendments to our CP and CPSs so that they > can aligned with Mozilla's root policy and we will reply what we plan > to do for responding the change of Mozilla's root policy to Kathleen. > Since we have conducted WebTrust for CA audits on the whole > Government PKI (including the root CA and all its subordinate CAs), > the audit results can assure our CAs are all compliant to Mozilla's > root policy. Our root policy also requires (or will soon require) a BR audit to cover all sub-CAs technically capable of issuing server certs. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy