I continue to receive feedback/concerns about the auditor bullet point in the "Concerning Behavior <https://wiki.mozilla.org/CA/Root_Inclusion_Considerations#Concerning_Behavior>" section, so I am attempting to resolve those concerns with the following version of that bullet point:
- The CA is using an auditing organization (ETSI <https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications>, WebTrust <https://wiki.mozilla.org/CA/Audit_Statements#Verifying_WebTrust_Auditor_Qualifications>) that has not audited other publicly trusted CAs whose root certificates are included in browser root store programs, and the Auditor Qualifications <https://wiki.mozilla.org/CA/Audit_Statements#Providing_Auditor_Qualifications> indicate that the audit team is inexperienced in auditing CA operations, public key infrastructure, trust services or similar information systems. - New auditors are allowed under the condition that the CA ensures that the Audit Team is lead by third-party specialists or affiliate audit firms who are experienced in auditing publicly trusted CAs, and this information must be provided as part of the Auditor Qualifications. I will appreciate feedback and suggestions on this new text. Does it address your concerns? Also, I am no longer receiving feedback on the rest of the wiki page, https://wiki.mozilla.org/CA/Root_Inclusion_Considerations, so I am assuming that the rest of the page is solid (i.e. ready to remove the "DRAFT" at the top of the page). Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/164d74b3-2371-4d79-815c-2bcd466ace00n%40mozilla.org.
