On Tue, July 29, 2014 2:01 am, Wallas Smith wrote: > Thank you very much for your precise answers. This helped me to come to > new questions :
Which you will find already answered at https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ , as I suspected. > > 1) According to what I understand, when trying to express the chain of > Certificate trust starting from a Mozilla User, the upper trust is placed > into Governmental Regulations and/or Professional code of Conduct of > auditors. > Could you tell me more about the Governmental Regulations you were > mentioning ? > Also, is there a global regulation which gather all these governmental > regulations, and who controls them ? In other words, who is on top of the > chain of control ? This was already answered in my previous email, which provided enough information for you to discover the relationship of ETSI and WebTrust (as Audit Frameworks) to the CA/Browser Forum's Baseline Requirements, and how those flow into the Mozilla requirements. Which is, of course, also answered by https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ > 2) If I still understand you well, Mozilla never really check by > themselves the good "quality" of a given CA at a specific date (by quality > I am not talking about the required content which can be easily checked), > but they report their responsibility to Auditors and Governmental > Regulations. Do Mozilla still have some exceptional process for checking > fully a CA by themselves, that could lead to the removal of a CA in their > product? This is also already answered by https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/ > > 3) Finally, if Mozilla don't have contract with auditors, do Mozilla have > contract(s) with any stratum of what I called the trust chain (with the CA > itself or Governmental regulations, or above depending of your answer) to > discharge their responsibility in case of failing CA? Who is responsible > in case of failing/neglected/wrongly handled CA in front of the law ? Once again, already answered. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/ Also, read the CA's CPs/CPSes to understand what liabilities and how they fit. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
