On 1/7/2016 12:29 PM, Kathleen Wilson wrote: > On 1/7/16 11:15 AM, Peter Bowen wrote: >> <snip> >> >> Until such time that the provide this, I don't see how they are any >> different from the thousands of private PKIs that are run by companies >> for their own use. Many of those PKIs may be used to MITM >> connections. > > OK. I suppose that means I should go ahead and start the information > verification process for this request. > https://wiki.mozilla.org/CA:How_to_apply#Information_Verification > > >> All CAs should be held to the same standard when asking for admission >> to the Mozilla program, this is no different. > > That's very logical. > I was sort of hoping to avoid spending the time doing the Information > Verification if I didn't have to. > > Kathleen >
I suggest deferring any effort on this request other than informing the certification authority that they need audits both for WebTrust for CA and for BR. That notice should also indicate that, without PROPER audits with public-facing audit reports, no action can be taken. No other effort should be expended on this. -- David E. Ross The Crimea is Putin's Sudetenland. The Ukraine will be Putin's Czechoslovakia. See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
