|
You're right, but I was actually referring to a
third party audit - required for non technically constrained
SubCAs. Adriano Il 11/11/2015 16:08, Peter Bowen ha
scritto:
On Wed, Nov 11, 2015 at 12:21 AM, Adriano Santoni <[email protected]> wrote:The issue I raised is not whether ccTLD are allowed in the BRs (they apparently are, to date) or what kind of entity could be allowed a ccTLD in their SubCA certificate's permittedSubtrees.My point is whether a SubCA having a ccTLD in its permittedSubtrees can reasonably be regarded as "technically constrained" and therefore be allowed not to be disclosed and not to be formally audited.....Under the Mozilla policy today, this is not true. Mozilla inclusion policy item #12 requires that all CAs follow the CA/Browser Forum Baseline Requirements (BRs). The BRs require that the CA signing the technically constrained cross certificate to audit the constrained CA. The "parent" CA is then required to be audited and presumably their controls and operations of subordinate audit will be reviewed by the their WebTrust or ETSI auditor. I agree this is a weaker requirement, but there is oversight. Thanks, Peter --
Adriano Santoni |
smime.p7s
Description: Firma crittografica S/MIME
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
