On February 14, 2018 at 4:17:16 AM, Wayne Thayer via dev-security-policy ( dev-security-policy@lists.mozilla.org) wrote:
> The most recent BR audit report for the Visa eCommerce Root contains 3 qualifications: http://enroll.visaca.com/WTBR%20eComm.pdf Does Mozilla have any guidelines or official position on what constitutes sufficient audit issues to result in sanctions? Frankly I'm stunned that any CA in the Mozilla root program can apparently ignore the baseline requirements for approximately 4 years after their effective date, get an initial BR audit with multiple qualifications, and see no penalty from this behavior. And this is disregarding several other BR violations found in the wild by independent researchers. I realize I'm banging the same drum as in my other thread, but without consistent enforcement of escalating penalties I don't believe we're teaching CAs anything other than that Mozilla will ultimately forgive almost any transgression. Unless you catch them on a bad day, in which case you might get distrusted entirely. -Paul (reaperhulk) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy