On Tue, Sep 8, 2015 at 9:13 AM, Jürgen Brauckmann <brauckm...@dfn-cert.de> wrote: > Ryan Sleevi schrieb: >> >> I fear that others using the store for S/MIME or code-signing would think >> the same as you. The reality is that this is not the case, which is why >> it's all the more reason to make an informed decision. >> >> As it stands, you could do each of those things I explicitly mentioned and >> still pass a "WebTrust for CAs" audit with flying colours, > > sorry, I don't understand you. You cannot pass an Webtrust for CAs audit > when you do the things you mentioned. There is no difference between > email/codesigning certs and TLS server certs.
WebTrust for CAs does not require publicly publishing CRLs or providing an OCSP responder. The only requirement is: "The CA maintains controls to provide reasonable assurance that certificates are revoked, based on authorized and validated certificate revocation requests within the time frame in accordance with the CA’s disclosed business practices." I could write a CPS that says "the CA will provide a list of revoked certificates upon receipt of a written requests sent to PO Box 123, Anywhere, ST, USA". That would meet the criteria and pass audit. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
