On 8/12/14, 10:58 PM, Steve Roylance wrote:
Hi Kathleen,
I see the underlying question that you (and Matt) wanted us to answer.
Apologies in not being complete in my response the first time around.
The reason we are specific in the CPS with regards to Organizational vetting
(for everything other than EV) is a historical one. Prior to the Baseline
Requirements we had to stipulate exactly how we validated a company as there
were no external standards to point towards. Of course this has now
changed in that like EV we 'could' also reference the external methods
allowed by the Baseline Requirements, however, as we still have a number of
other certificate types that incorporate Organization information we
specifically reference the methods we use for these. In the short term we
don't plan on changing the wording as we'll soon have guidelines for BR
based Code Signing too.
In response to this discussion thread I'm going to suggest to our Policy
Authority 2 (in charge of CP/CPS) that when BR Code Signing is released, we
reword the sections, referring out to EV and BR guidelines and only
highlight if there are differences for the remaining products.
As far as what we actually do for Extended Validation then we follow the
guidelines and therefore also the allowed alternatives and our auditors
verify this on a yearly basis. If we were to incorporate actual processes
then we would have to sync updates to the CPS with changes to EV (Rather
than our internal process documents) and that makes things harder all round.
Does that answer your concern?
Note that I'm in our Singapore office today and flying back tomorrow so
additional responses will be delayed until Friday UK time if I didn't
address your concern.
Kind Regards
Steve
The reason I didn't notice this before, is because I didn't notice the
part in CPS section 3.2.2 that said "For all Certificates other than
Extended Validation"
I do *not* believe that simply referencing the BRs and the EV Guidelines
is sufficient.
For example, lets look at domain verification for SSL certs.
Baseline Requirements section 11.1.1 lists several ways in which the CA
may confirm that the certificate subscriber owns/controls the domain
name to be included in the certificate. Simply referencing section 11 of
the BRs does not tell us which of those options the CA uses.
Also, I don't believe that the following has changed, and I don't
believe that referencing BR section 11 provides sufficient information
to satisfy this.
https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Domain_Name_Ownership
"The CA's public documentation needs to provide sufficient information
describing the steps taken by the CA to confirm that the certificate
subscriber owns/controls the domain name to be included in the
certificate. For instance, if a challenge-response type of procedure is
used, then there needs to be a brief description of the process. If
public resources are used, then there should be a description of which
public resources are used, what data is retrieved from public resources,
and how that data is used to verify that the certificate subscriber
owns/controls the domain name."
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
