On 08/03/17 17:43, Ryan Hurst wrote: >> Gerv: We do require this, but not publicly. I note and recognise Ryan's >> concern about requiring advance disclosure of private deals. I could see >> a requirement that a transferred root was not allowed to issue anything >> until the appropriate paperwork was publicly in place. Would that be >> suitable? > > Could you clarify what you mean by appropriate paperwork?
Mozilla requires that roots in our program have certain paperwork in place in order to be issuing certs. We need the organization to publish a CP and CPS which relate to the root, and we need audits (ongoing or PITRA), and so on. That's what I mean. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
