On 3/3/14, 10:33 AM, Kathleen Wilson wrote:
All,
I received the following question from an auditor, and would appreciate
hearing your opinions on it. This question is in regards to a new CA
inclusion request. New CAs are frequently not members of the CA/Browser
Forum, so they tend to find out about the Baseline Requirements audit
when they apply for inclusion.
For those CA who have done the compliance with the Baseline Requirements
for the first time, will your root certificate program accept a
point-in-time readiness assessment audit against the WebTrust Baseline
Requirements Program?
For reference, our documented expectations are here:
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Audit_Criteria
Thanks,
Kathleen
Based on the discussion so far, it appears that folks are OK with new
CAs getting a point-in-time readiness assessment audit the first time
they get a Baseline Requirements audit, as long as the CA has also been
getting the other audits (WebTrust CA or ETSI TS 102 042) done annually.
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy
Currently says:
"Any Certificate Authority being considered for root inclusion after
February 15, 2013 must comply with Version 2.1 of Mozilla's CA
Certificate Policy."
Mozilla's CA Certificate Policy version 2.1 and later requires a BR
audit, but doesn't say anything about a point-in-time readiness audit.
How about if I update the wiki page as follows?
"Any Certificate Authority being considered for root inclusion after
February 15, 2013 must comply with Version 2.1 of Mozilla's CA
Certificate Policy. This includes having a Baseline Requirements audit
performed if the websites trust bit is to be enabled. Note that the CA's
first Baseline Requirements audit may be a Point in Time audit."
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
