> I am wondering if rather than trying to fit this old cert and CA hierarchy > into relatively new requirements, would it be better to ask the CA to create > a new, fully BR compliant root certificate? > > Then we could proceed with the remainder of the root inclusion process for > the new root cert and clean CA hierarchy, and the CA would migrate their > customers to the new hierarchy as needed. > > I understand this is asking a lot of the CA, so I will appreciate your > thoughtful and constructive input on the best way to proceed with FNMT's root > inclusion request.
I've been giving this quite a lot of thought. One thing that's certainly concerning are the lapses in attention to detail that have been brought to light during the inclusion request process. The proposal to stand up a new CA is not without merit and could make the audit procedure for FNMT more straight forwarded. Though of course I can't speak for other root store programs, I imagine a clean slate might result in a faster inclusion path for them too, which would also benefit the CA. However I still hold out some hope that the current proposal could be workable. I'm sorry if I missed it in the thread or bug, what is the rationale that a "AC FNMT Usuarios" doesn't require an ongoing WebTrust SSL BRs audit? Many thanks, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
