To recap, we've established that this root was first BR audited on 26-April 2015 and has received clean period-of-time audits over the next two years. ComSign has disclosed 36 certificates issued by this root prior to the BR point-in-time audit, of which one remains unexpired. This does not meet the requirements of BR section 8.1 both because the point-in-time readiness assessment was not completed prior to issuing a publicly-trusted certificate, and because the first period-of-time audit was not completed within 90 days of issuing a publicly-trusted certificate. Mozilla policy, however, does not require a root to have maintained BR compliance over its entire lifetime to be included in the program. ComSign's current annual WebTrust for CAs and BR audits are enough to meet Mozilla's requirements.
The questions I raised have been addressed to my satisfaction. If anyone has further concerns, please raise them this week so that we can complete the public discussion period for this inclusion request. - Wayne On Sunday, December 24, 2017 at 2:46:03 AM UTC-7, YairE wrote: > Hi Wayne, > > as requested i added the file with the certificates issued since 26/10/2014 > until 31/03/2015 to the bug, > > Back then it seems we didn’t have a WebTrust audit (I believe we started in > 2015) but only external CPA and governmental audits as are attached already. > The reason we didn’t have a WebTrust audit is that we were already being > audited by other auditors and the external WebTrust auditor was qualified > only around that time. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
