Kathleen, do the auditors that failed to notice surrogate (eIDAS/GDPR non-compliant) QESCs (Qualified electronic signature certificate) fall under this definition?Thanks,M.D.Sent from my Galaxy -------- Original message --------From: Kathleen Wilson <kwil...@mozilla.com> Date: 3/2/23 02:46 (GMT+02:00) To: dev-security-policy@mozilla.org Subject: Re: DRAFT: Root Inclusion Considerations I continue to receive feedback/concerns about the auditor bullet point in the "Concerning Behavior" section, so I am attempting to resolve those concerns with the following version of that bullet point:The CA is using an auditing organization (ETSI, WebTrust) that has not audited other publicly trusted CAs whose root certificates are included in browser root store programs, and the Auditor Qualifications indicate that the audit team is inexperienced in auditing CA operations, public key infrastructure, trust services or similar information systems.New auditors are allowed under the condition that the CA ensures that the Audit Team is lead by third-party specialists or affiliate audit firms who are experienced in auditing publicly trusted CAs, and this information must be provided as part of the Auditor Qualifications.I will appreciate feedback and suggestions on this new text. Does it address your concerns?Also, I am no longer receiving feedback on the rest of the wiki page, https://wiki.mozilla.org/CA/Root_Inclusion_Considerations, so I am assuming that the rest of the page is solid (i.e. ready to remove the "DRAFT" at the top of the page).Thanks,Kathleen
-- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/164d74b3-2371-4d79-815c-2bcd466ace00n%40mozilla.org. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/E1pXfCh-0004le-IT%40submission01.runbox.
