On Mon, August 31, 2015 5:48 pm, Moudrick M. Dadashov wrote: > I'm afraid there seems to be a bit misinterpretation of ETSI policies: > EVCP, EVCP+, DVCP, OVCP are based on the same general requirements and > have cumulative effect: higher level (e.g. EVCP) conformance assessment > assumes lower level conformence while the opposite is not true. > > In other words if a CA has an EV audit, it assumes OVCP or DVCP > conformance and doesn't require respective extra audits. > > Thanks, > M.D.
1) That's mostly irrelevant for the topic at hand (code signing, email), since EVCP/DVCP has to do with the EVGs/SSL BRs, which don't concern themselves with, say, how to validate the information in an S/MIME certificate. Are you conflating this thread with the SSC policy review, perhaps, where that distinction may be more relevant? 2) That same argument has been made for WebTrust for CAs vs WebTrust for CAs - SSL BRs with NetSec, of which the past discussion was that _both_ are required. My point of raising this was that in the audit schemes required, there's no "email trust audit", other than perhaps the ISO scheme (no CA is using) or ETSI (with respect to QCP/QCP-SSCD), and the Mozilla requirements regarding email trust are... spartan, to say the least :) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
