Commenting only on a two points, snipping rest. I am not associated with Docusign and this is just some guesswork to help the process along. Obviously someone official will have to directly or indirectly state which of these guesses are correct.
On 10/02/2016 00:14, Charles Reiss wrote:
Section 9.3.1 of this CP suggests that "audit results and reports" are confidential information, which seems to be at odds with Mozilla's public attestation requirement.
Could it be that the conclusion of the auditor is public, but the detailed assessments about the confidential stuff the auditor had access to (such as internal procedures, exact layout of the building housing the private keys, discovered code vulnerabilities etc. etc.) remain confidential? Similar to how the independent audits of financial accounts has a public part (the results and a statement by the auditor that it has been checked to be factually true) and a private part (commentary for the board and management).
Section 9.3.3 of this CP states in part: "PKI components must not disclose certificate or certificate-related information to any third party unless authorized by this policy" while section 9.4.3 states: "Any and all information within a certificate is inherently public information and shall not be considered confidential information." What is the 'certificate information' contemplated by section 9.3.3 that is not contained within a certificate?
Could it be a prohibition against publishing the certificates to all and sundry (e.g. via Google's certificate indexing protocol), even though the certificates are not technically confidential? Or could it be that the records and documents used in validating the certificate application (such as the CSR, signed paperwork, copies of official documents, callback phone numbers, revocation passwords etc.) remain confidential? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
