I think this is okey. [email protected] +34 666 429 224 (Spain) gplus.to/chemalogo @chemalogo <https://twitter.com/chemalogo/> www.linkedin.com/in/chemalogo Skype: chemalogo
On Tue, Mar 11, 2014 at 12:19 AM, Kathleen Wilson <[email protected]>wrote: > On 3/6/14, 9:58 AM, Kathleen Wilson wrote: > >> On 3/3/14, 10:33 AM, Kathleen Wilson wrote: >> >>> All, >>> >>> I received the following question from an auditor, and would appreciate >>> hearing your opinions on it. This question is in regards to a new CA >>> inclusion request. New CAs are frequently not members of the CA/Browser >>> Forum, so they tend to find out about the Baseline Requirements audit >>> when they apply for inclusion. >>> >>> For those CA who have done the compliance with the Baseline Requirements >>>> for the first time, will your root certificate program accept a >>>> point-in-time readiness assessment audit against the WebTrust Baseline >>>> Requirements Program? >>>> >>> >>> >>> For reference, our documented expectations are here: >>> https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Audit_Criteria >>> >>> Thanks, >>> Kathleen >>> >>> >> >> Based on the discussion so far, it appears that folks are OK with new >> CAs getting a point-in-time readiness assessment audit the first time >> they get a Baseline Requirements audit, as long as the CA has also been >> getting the other audits (WebTrust CA or ETSI TS 102 042) done annually. >> >> https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_ >> Frames_for_included_CAs_to_comply_with_the_new_policy >> >> >> Currently says: >> "Any Certificate Authority being considered for root inclusion after >> February 15, 2013 must comply with Version 2.1 of Mozilla's CA >> Certificate Policy." >> >> Mozilla's CA Certificate Policy version 2.1 and later requires a BR >> audit, but doesn't say anything about a point-in-time readiness audit. >> >> How about if I update the wiki page as follows? >> >> "Any Certificate Authority being considered for root inclusion after >> February 15, 2013 must comply with Version 2.1 of Mozilla's CA >> Certificate Policy. This includes having a Baseline Requirements audit >> performed if the websites trust bit is to be enabled. Note that the CA's >> first Baseline Requirements audit may be a Point in Time audit." >> >> Thanks, >> Kathleen >> >> >> > > I made the proposed change to the wiki page. > > https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_ > Frames_for_included_CAs_to_comply_with_the_new_policy > "Any Certificate Authority being considered for root inclusion after > February 15, 2013 must comply with Version 2.1 or later of Mozilla's CA > Certificate Policy. This includes having a Baseline Requirements audit > performed if the websites trust bit is to be enabled. Note that the CA's > first Baseline Requirements audit may be a Point in Time audit." > > Please let me know if you see any problems with this change. > > Thanks, > Kathleen > > PS: I also updated a few of the links in that page. > > > > > > > > > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
