On 4/28/14, 5:41 PM, Peter Bowen wrote:
On Mon, Apr 28, 2014 at 12:04 PM, Kathleen Wilson <[email protected]> wrote:
1) Ensure that Mozilla’s spreadsheet of included root certificates has the
correct link to your most recent audit statement, and that the date of the
audit statement is correct. As per Mozilla's CA Certificate Policy, we
require that all CAs whose certificates are distributed with our software
products provide us an updated statement annually of attestation of their
conformance to the stated verification requirements and other operational
criteria by a competent independent party or parties.
Please respond with one of the following:
A) Mozilla’s spreadsheet of included root certificates has the correct link
to our most recent audit statement, and the audit statement date is correct.
B) Here is the most recent audit statement for our certificates that are
included in Mozilla’s CA program: <insert link here>
C) We plan to send Mozilla our current audit statement by <insert date
here>.
2) Send Mozilla the link to your most recent Baseline Requirements audit
statement. Details about Mozilla's audit requirements are listed in section
11 of Mozilla's CA Certificate Inclusion Policy.
Please respond with one of the following:
A) Mozilla’s spreadsheet of included root certificates has the correct link
to our most recent Baseline Requirements audit statement.
B) Here is the most recent Baseline Requirements audit statement for our
certificates that are included in Mozilla’s CA program: <insert link here>
C) We plan to send Mozilla our current Baseline Requirements audit statement
by <insert date here>.
D) The websites (SSL/TLS) trust bit is not enabled for our certificates that
are included in Mozilla's CA program.
Both 1) and 2) should probably have an additional option:
- We do not have a current audit for this root. Please remove the root
from the Mozilla CA program.
While I would hope that any CA choosing this option would have already
provided this information, it is a valid choice.
Thanks,
Peter
How about:
D) We do not have a current audit statement for this root certificate,
because <explain reason. If phasing out use of the root then indicate
date when the certs expire or when the root may be removed.>
(There might be some roots, such as ECC, that are included but aren't
actively used yet.)
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
