Am 2014-01-05 17:22, schrieb [email protected]: > Maybe it would help that the spreadsheet also says what period is > covered, or when it's going to expire.
Certainly. Note that for some CAs, I have provided both the covered periods and the date when the report was issued in my mail. >From the rules you quoted, each CA should have an audit report covering an audit period ending not more than 15 months ago (12 months for the audit period following the one on file, plus 3 months to deliver the report), irrespective of the data when the report was issued. (Alternatively, an explanatory letter.) According to these rules, and assuming that all data in the spreadsheet was accurate, all four listed CAs - Trustwave, Wisekey, RSA and IGC/A (ANSSI) - as well as all other CAs with the most recent audit report covering less than August 2012 - were in violation of the inclusion policy at that time. Notably, even if their self-audit report is for some reason considered acceptable, IGC/A (ANSSI) has been in violation for over 9 months now, *and* has demonstrated that they are unable to run a CA in a secure way (not only by allowing a MitM cert to chain up to them, see also the discusson in the "Revoking Trust in one ANSSI Certificate" thread about other misissuances). What else does a CA have to do to get removed? Kind regards, Jan -- Please avoid sending mails, use the group instead. If you really need to send me an e-mail, mention "FROM NG" in the subject line, otherwise my spam filter will delete your mail. Sorry for the inconvenience, thank the spammers... _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
