On Fri, November 7, 2014 1:26 pm, Kathleen Wilson wrote: > On 11/7/14, 2:07 AM, Chema López wrote: > > If "the WebTrust EV audit criteria includes the Baseline Requirements > > audit > > criteria" and, "In other words, the WebTrust EV audit statement will > > also > > suffice as the WebTrust BR audit statement", why is required for CAs to > > pay > > for three seals? Maybe it is enough to hold WT4CA and WTEV. > > > > Even more, if the approach is as the following picture shows, why > > would it > > be necessary to have a WT4CA? > > > > > Many CA hierarchies include both non-EV SSL and EV SSL certificates. > The WTEV audit covers the issuance of EV SSL certificates. > The WT4CA audit is needed for the non-EV SSL certificates. > But the WT4CA audit does not include the WTBR audit. > > So, I believe that you do have a point that if a CA hierarchy may *only* > be used for EV certificates, and the CP/CPS clearly states this, then > the WTEV audit alone is sufficient. Does anyone disagree? > > However, if non-EV SSL certificates are also issued in the same CA > hierarchy, then the WT4CA and WTBR audits are also needed. > > By the way, I think the topic of "seal" is slightly different. I am OK > with all 3 of the audit statements being combined into the same pdf. I > also am OK with a CA not having their audit statement posted on the > webtrust.org website -- it just means I have to do a little extra work > to check with the auditor to make sure the audit statement is authentic. > > Kathleen > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy >
Kathleen, In order for Mozilla to recognize a root as EV, it must first be recognized as a root for SSL certificate issuance. If a certificate is issued by that root as non-EV, it will still be trusted for SSL. The concern with your current proposal is that it creates a hole for 'intent' - that is, certificates in the hierarchy 'not intended' for EV may be excluded from the EV audit - much in the same way Mozilla has had to deal with the problem of 'intent' in the BRs by adding Clauses 8 and 10 to https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ I guess my pushback would be wanting to better understand the language you believe should be added to the CP/CPS to clarify the EV-only nature of a root, since that will be the measure of how well 'intent' is distinguished. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy