Ian G wrote:
The policy says, we need published information, *eg* the CPS.
Not, "CPS must be published."
Yes, exactly. We typically use the CPS and/or CP because almost all CAs
publish those documents; however there is no requirement that the
information published by the CA be in the form of a CPS or CP.
Speaking personally, I think think that it is good practice for CAs to
publish a CPS. If a CA has private information relating to detailed
internal processes that it does not wish to make public, I suggest that
it put such material in a separate "CA operations manual" that is
internal-only.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto