[Please note that it has been the second time that I am trying to send this mail to the mozilla.dev.security.policy mailing list. I didn't noticed it appearing in the mailing list the first time, I guess it failed, I hope it will work this time. Thank you for your understanding.]
Hello, As explained in the checklist (https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices), one of the 3 following audit is required when asking for CA inclusion : * ETSI TS 101 456 * ETSI TS 102 042 * WebTrust Principles and Criteria for Certification Authorities I therefore have some questions regarding these audits. 1) I would like to know the precise criteria that Mozilla took into account when initially choosing these 3 audits. How did Mozilla chose them, on which points did the auditors fit with Mozilla requirements ? 2) Which auditors are allowed to deliver the audit for Mozilla (is there a list) and how were they chosen ? 3) Is there a contract with the auditor(s) in case Mozilla criteria are not respected ? What sanctions can be taken (did it happened before) ? Who, by Mozilla side, check the auditors actions and sayings (in case there is anyone, if it not just an assurance contract), and what is the checking process if it is public ? Thank you in advance for the help. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
