On Tue, Nov 3, 2015 at 4:24 PM, Kathleen Wilson <kwil...@mozilla.com> wrote: > Topic to discuss [1]: > “(D3) Make the timeline clear about when the audit statements and disclosure > has to happen for new audited/disclosed subCAs. > > What further clarification needs to be added to Mozilla’s CA Certificate > Policy to make it more clear when the audit statements and disclosure has to > happen for new subCAs?
Given that it is Mozilla policy to require all CAs to follow the CA/Browser Forum Baseline Requirements, and that the Baseline Requirements require that "the CA SHALL publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis" and that "the CA SHALL disclose all Cross Certificates that identify the CA as the Subject, provided that the CA arranged for or accepted the establishment of the trust relationship (i.e. the Cross Certificate at issue)," should Mozilla require that disclosure of the CP, CPS, operator name, and operator URL for all cross-certificates prior to use? I realize that Mozilla carved out allowance for not disclosing, but the CA/Browser Forum did not adopt this, instead only exempting technically constrained CAs from the audit requirement. Maybe this is a place where the Mozilla policy can aligned with the BRs. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy