On Sun, May 17, 2015 at 7:59 PM, Ryan Sleevi <ryan-mozdevsecpol...@sleevi.com> wrote: > On Sun, May 17, 2015 6:06 pm, Peter Bowen wrote: >> I was assuming this discussion was based on the concept that >> Government CAs did not need to meet all the audit criteria. Otherwise >> why are we having it? > > Why indeed ;) > > As I mentioned in my reply to Eric, my own suspicion is that this > conversation has restarted as a result of Microsoft's soft-announcement to > the CA/B Forum to look at constraining government CAs, and the question > inevitably is what should or can Mozilla do?
As indicated, Microsoft has only released their draft of new requirements under NDA, so the next best thing is to look at their existing requirements for audits: http://social.technet.microsoft.com/wiki/contents/articles/26675.windows-root-certificate-program-audit-requirements-for-cas.aspx They do not require Government CAs to complete either ETSI or WebTrust audits; instead they can claim "equivalency" under "local law or regulation". It is announced that this is being phased out over the next 18 months. >From this thread, it seems clear that Mozilla does not intend to have a similar allowances for government CAs. The only open item is when Mozilla intends to enforce the requirement of having a BR audit and remove the SSL trust bit from those that do not. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy