On Mon, Jun 25, 2018 at 2:45 PM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Mon, Jun 25, 2018 at 5:12 PM, Pedro Fuentes via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > 7. In my humble opinion, I think that these requirements must be formalized > > in audit criteria or explicitly in the BR, and not raised "ad hoc". Any > CA > > embarking in an inclusion process should know all requirements > beforehand. > > > But they're already arguably part of the BRs, as I showed, and it's up to > the relevant groups (WebTrust, ETSI) to ensure that the criteria they adopt > reflect what browsers expect. As we see with ETSI and ACAB-c, if the > auditor fails to meet those requirements, it's the auditor that's at fault. > > 8.1 is the relevant section of the BRs, and the issue was recently discussed on this list: https://groups.google.com/d/msg/mozilla.dev.security.policy/rR9g5BJ6R8E/Gwzqquv6BgAJ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy