On 11/7/14, 2:07 AM, Chema López wrote:
If "the WebTrust EV audit criteria includes the Baseline Requirements audit
criteria" and, "In other words, the WebTrust EV audit statement will also
suffice as the WebTrust BR audit statement", why is required for CAs to pay
for three seals? Maybe it is enough to hold WT4CA and WTEV.
Even more, if the approach is as the following picture shows, why would it
be necessary to have a WT4CA?
Many CA hierarchies include both non-EV SSL and EV SSL certificates.
The WTEV audit covers the issuance of EV SSL certificates.
The WT4CA audit is needed for the non-EV SSL certificates.
But the WT4CA audit does not include the WTBR audit.
So, I believe that you do have a point that if a CA hierarchy may *only*
be used for EV certificates, and the CP/CPS clearly states this, then
the WTEV audit alone is sufficient. Does anyone disagree?
However, if non-EV SSL certificates are also issued in the same CA
hierarchy, then the WT4CA and WTBR audits are also needed.
By the way, I think the topic of "seal" is slightly different. I am OK
with all 3 of the audit statements being combined into the same pdf. I
also am OK with a CA not having their audit statement posted on the
webtrust.org website -- it just means I have to do a little extra work
to check with the auditor to make sure the audit statement is authentic.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
