On 8/13/14, 11:43 AM, Medin, Steven wrote:
The BR on which the EVG rely do state that our
CPS must say what we do in detail.
Good point.
BR section 8.2.1: "The CA SHALL develop, implement, enforce, and
annually update a Certificate Policy and/or Certification Practice
Statement that describes in detail how the CA implements the latest
version of these Requirements."
I suggest that "all of the above" is a
viable response to that due to the gamut of situations we face globally.
When I review a CP/CPS, I'm looking for information that demonstrates
compliance with Mozilla's policy. Among other things, I look for a
description of the actions that a CA takes to confirm ownership/control
of the domain name to be included in the certificate.
The EV Guidelines take subscriber verification to a higher level, so I
am fine with a CP/CPS that says that *in addition* to the steps taken
for DV/OV certs, the EV Guidelines are followed.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
