https://wiki.mozilla.org/CA:How_to_apply#Creation_and_submission_of_the_root_CA_certificate_inclusion_request
"An official representative of the CA must submit and/or participate in
the root inclusion request. According to Mozilla's CA Certificate
Inclusion Policy: "To request that its certificate(s) be added to the
default set a CA should submit a formal request by submitting a bug
report into the mozilla.org Bugzilla system ... The request must be made
by an authorized representative of the subject CA..." If the CA
contracts to another organization to help with the root inclusion
request, the representative of the CA must clarify that relationship in
the bug, and must provide clear information about who the ongoing
points-of-contact will be for the CA.
Perhaps a step should be added to the information verification phase to
verify the authority of the representative of the CA.
(https://wiki.mozilla.org/CA:How_to_apply#Information_Verification)
Should we specify and define different types of CA representatives?
e.g. technical contact, administrative contact, consultant, etc.
What steps do you think would be reasonable and sufficient to confirm
that the CA representative has the authority to act in that capacity?
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
