Hello, As explained in the checklist (https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices), one of the 3 following audit is required when asking for CA inclusion :
* ETSI TS 101 456 * ETSI TS 102 042 * WebTrust Principles and Criteria for Certification Authorities I would like to know the precise criteria that Mozilla took into account when initially choosing these 3 auditors. How did Mozilla chose them, on which points did the auditors fit with Mozilla requirements ? Is there a contract with the auditor in case Mozilla criteria are not respected ? What sanctions can be taken (did it happened before) ? Who, by Mozilla side, check the auditors actions and sayings (in case there is anyone, if it not just an assurance contract), and what is the checking process if it is public ? Thank you in advance for the help. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
