On 1/5/14 12:58 PM, Kurt Roeckx wrote:
I've been going over Mozilla's policy. In the inclusion policy
(V2.2), under 12 it says that you need to conform to the
CA/Browser baseline requirements V1.1.5, but it doesn't say
anything about when you need to comply with the EV Guidelines,
currently at V1.4.3.
Am I missing something, or is the policy missing something?
Kurt
For EV certs we've historically relied on the audit criteria listed in
item #11.
"11. We consider the criteria for CA operations published in any of the
following documents to be acceptable:
....
Clause 7, "Requirements on CA practice", in ETSI TS 102 042 V2.3.1 or
later version, Policy requirements for certification authorities issuing
public key certificates (as applicable to the "EVCP" and "EVCP+" ...
....
WebTrust "Principles and Criteria for Certification Authorities -
Extended Validation Audit Criteria 1.4" or later in WebTrust Program for
Certification Authorities."
We could add another item to the policy, such as:
"CA operations and issuance of Extended Validation (EV) certificates
must also conform to version 1.4 or later of the CA/Browser Forum
Guidelines For The Issuance And Management Of Extended Validation
Certificates."
Is this needed?
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
