On 18/05/15 14:45, Gervase Markham wrote: > On 17/05/15 23:28, Peter Bowen wrote: >> I'll bite. >> >> What if Mozilla puts a simple rule in place? >> >> All CAs must either: >> - Have a WebTrust for BR and ETSI TS 102 042 assessment conducted by a >> assessor who meets the requirements of BR 8.2 or >> - Be named constrained > > The result of that would be that Kamu SM would either change its auditor > or be name constrained. There would be no other changes. ANSSI is the > only other CA which does not use an auditor which fits our criteria, and > it is already name-constrained.
Apologies, that's not true, if you want to require an unqualified BR audit. There would be other CAs who didn't meet the first option - although it's not just government CAs which don't yet have a BR audit, so the changes would be on both sides of the aisle. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
