Thanks for highlighting. We'll update and come back to the Mozilla team when approved by our policy authority members. I shall try to ensure we look at why we missed this instruction too.
Steve Sent from my iPhone > On 14 Aug 2014, at 00:57, Kathleen Wilson <[email protected]> wrote: > >> On 8/12/14, 10:58 PM, Steve Roylance wrote: >> Hi Kathleen, >> >> I see the underlying question that you (and Matt) wanted us to answer. >> Apologies in not being complete in my response the first time around. >> >> The reason we are specific in the CPS with regards to Organizational vetting >> (for everything other than EV) is a historical one. Prior to the Baseline >> Requirements we had to stipulate exactly how we validated a company as there >> were no external standards to point towards. Of course this has now >> changed in that like EV we 'could' also reference the external methods >> allowed by the Baseline Requirements, however, as we still have a number of >> other certificate types that incorporate Organization information we >> specifically reference the methods we use for these. In the short term we >> don't plan on changing the wording as we'll soon have guidelines for BR >> based Code Signing too. >> >> In response to this discussion thread I'm going to suggest to our Policy >> Authority 2 (in charge of CP/CPS) that when BR Code Signing is released, we >> reword the sections, referring out to EV and BR guidelines and only >> highlight if there are differences for the remaining products. >> >> As far as what we actually do for Extended Validation then we follow the >> guidelines and therefore also the allowed alternatives and our auditors >> verify this on a yearly basis. If we were to incorporate actual processes >> then we would have to sync updates to the CPS with changes to EV (Rather >> than our internal process documents) and that makes things harder all round. >> >> Does that answer your concern? >> >> Note that I'm in our Singapore office today and flying back tomorrow so >> additional responses will be delayed until Friday UK time if I didn't >> address your concern. >> >> Kind Regards >> >> Steve > > > The reason I didn't notice this before, is because I didn't notice the part > in CPS section 3.2.2 that said "For all Certificates other than Extended > Validation" > > > I do *not* believe that simply referencing the BRs and the EV Guidelines is > sufficient. > > For example, lets look at domain verification for SSL certs. > > Baseline Requirements section 11.1.1 lists several ways in which the CA may > confirm that the certificate subscriber owns/controls the domain name to be > included in the certificate. Simply referencing section 11 of the BRs does > not tell us which of those options the CA uses. > > Also, I don't believe that the following has changed, and I don't believe > that referencing BR section 11 provides sufficient information to satisfy > this. > https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Domain_Name_Ownership > "The CA's public documentation needs to provide sufficient information > describing the steps taken by the CA to confirm that the certificate > subscriber owns/controls the domain name to be included in the certificate. > For instance, if a challenge-response type of procedure is used, then there > needs to be a brief description of the process. If public resources are used, > then there should be a description of which public resources are used, what > data is retrieved from public resources, and how that data is used to verify > that the certificate subscriber owns/controls the domain name." > > Kathleen > > > > > > > > > > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
