| Thanks for the update on the code signing situation within CABF. Last I knew about it, it was on the path towards adoption so it's good to know that's no longer the case. Regarding the processes to verify ownership and control, I hope you're not suggesting we should continue to allow provably insecure procedures because the BR says it's OK to use them?
Peter, I obviously do not represent ComSign, but several of the items in your list are not really specific to the CPS and instead are more comments on the Mozilla policies. On Fri, Jan 29, 2016 at 4:24 PM, Peter Kurrasch <[email protected]> wrote:
There is not a BR from the CA/Browser Forum. A subset of the members of the CABF drafted a BR, but it failed to be adopted as a Forum Guideline when brought to a vote of the whole Forum. Concerns were raised on several fronts, including some specific requirements. Therefore I don't think it is necessary or appropriate for a CA to commit to adhere (or not adhere) to a document that is still under development. Additionally, Mozilla has determined that Code Signing is out of scope for the Mozilla CA program. Therefore, as I understand it, whether a CA issues certificates for code signing or not, and the terms under which is does so, should not be in scope for review of their CPS in this forum.
The process described in 3.2.8.1.1 is the process that was included in the Mozilla CA policy (https://wiki.mozilla.org/CA:CertInclusionPolicyV2.0) and is now included in the CABF BRs. It is an approved process to verify ownership or control of a domain.
The process described in 3.2,8.1.3 is an implementation of section 3.2.2.4 (6) of the CABF BRs. It appears to be an approved process to verify ownership or control. Thanks, Peter | ||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
