On 05/11/13 00:07, Kathleen Wilson wrote:
<snip>
> What is the role of the CA’s primary point of contact (POC) with
regard to Mozilla’s CA program?
The CA’s POC must be someone within the CA’s organization who has
authority to speak on behalf of the CA, to make commitments for the CA,
and to direct whatever changes the review process or Mozilla’s CA
Communications require. That person should also be in a position that
can be held accountable by the CA. A CA may have more than one POC, and
may use a contractor as one of the POCs.
The POC will:
- Provide annual audit statements
- Respond to CA Communications
- Make sure the CA’s rows in the included spreadsheet remain current
(http://www.mozilla.org/projects/security/certs/included/)
- Inform Mozilla when there is a change in the organization, ownership,
CA policies, or in the POC that Mozilla should be aware of, as per items
4 through 7 of
http://www.mozilla.org/projects/security/certs/policy/MaintenancePolicy.html
Kathleen,
Much of the contact Mozilla has with CAs is technical in nature. Root
Inclusion requests are no exception. I think it's good when the CAs'
techies get directly involved on technical matters.
As a humble CA techie, I don't have authority to "make commitments for"
Comodo, so I can't be a Primary POC.
But is it really necessary to forbid me from being the person who makes
sure that "the included spreadsheet" is accurate or who handles the
technical aspects of Root Inclusion requests?
How about recognizing a Technical POC for each CA, as well as a Primary POC?
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
