On 11/6/2014 1:50 PM, Kathleen Wilson wrote: > The CAB Forum's EV guidelines include the Baseline Requirements. > Likewise, the WebTrust EV audit criteria includes the Baseline > Requirements audit criteria. So, I have been asked to make the following > clarification. > > In > https://wiki.mozilla.org/CA:BaselineRequirements#WebTrust_BR_Audit_Statement > > I propose adding the following text: > -- > If the root certificate is enabled for EV treatment, then the following > three public-facing audit statements are required annually: > 1. WebTrust CA -- WebTrust Principles and Criteria for Certification > Authorities > 2. WebTrust BR -- WebTrust Principles and Criteria for Certification > Authorities – SSL Baseline with Network Security (or Principles and > Criteria - SSL Baseline Requirements) > 3. WebTrust EV -- WebTrust Principles and Criteria for Certification > Authorities – Extended Validation SSL (or Principles and Criteria for > Certification Authorities – Extended Validation Audit Criteria) > > However, if the CA hierarchy can only be used for EV certificates, and > the CP/CPS clearly states this, then a separate WebTrust BR audit > statement is not needed because it is encompassed within the WebTrust EV > audit. In other words, the WebTrust EV audit statement will also suffice > as the WebTrust BR audit statement. > -- > > I will appreciate constructive feedback on this proposal. > > Kathleen >
I read "CA:BaselineRequirements" to see how the proposed insertion fit within the overall document. It seems okay. However, the section on "CA Conformance to the BRs" might need expansion. The third paragraph -- beginning with "It is not sufficient to simply reference section 11 of the CA/Browser Forum's Baseline Requirements (BR)." -- is narrow in scope to only section 11 of the BRs. Are there no other areas in the BRs where a certification authority is given alternatives? Perhaps, this paragraph should state: Where the CA/Browser Forum's Baseline Requirements (BR) indicate alternative means to satisfy the BRs, the certification authority's CP/CPS must explicitly state which alternatives are used. The audit statement must then explicitly restate those alternatives. Merely referencing the BRs in either the CP/CPS or the audit statement provides insufficient confirmation that the certification authority operates in an acceptable manner. NOTE: The paragraph I cited has "Brower" instead of "Browser". -- David E. Ross I am sticking with SeaMonkey 2.26.1 until saved passwords can be used when autocomplete=off. See <https://bugzilla.mozilla.org/show_bug.cgi?id=1064639>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
