> > This discussion should consider what's best for Mozilla's users. Perhaps > > that aligns precisely with the minimum requirements in the EVGs, or perhaps > > it doesn't. Mozilla are free to specify additional requirements if they > > feel the need to do so, just as Microsoft did recently... > > Maybe I misunderstood the original email from Kathleen, but my > impression was that she was looking purely for clarification of what > is already required by the CA/Browser Forum Baseline Requirements. As > you point out Mozilla can adopt additional requirements as part of the > Mozilla CA Certificate Policy, but I think that is a different > discussion. In order to have that discussion, one needs to understand > what is already required by the Policy, and that is what I was > addressing. >
My original email was regarding the current state of the BRs, and I would like to clarify what current requirements are. However, I think it is reasonable for this discussion to progress into whether or not the BRs and/or Mozilla policy need to be updated to address the questions. I am wondering if the BRs need to be updated to: + Define what is meant by "Certificate misuse, or other types of fraud". (e.g. being used for a purpose outside of that contained in the cert, or applicant provided false information.) + Add text similar to what is in the EV Guidelines stating that TLS/SSL certificates focus only on the ownership of the domain name(s) included in the certificate, and not on the behavior of the website. Note that the BRs already have section 9.6.1 about certificate warranties. In regards to Mozilla policy, maybe we should consider adding text about Mozilla's expectations for CAs when they find out that a TLS/SSL certificate that they issued is being used to do bad things. I've added a link to this discussion to https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Proposed_Changes_Currently_in_Discussion Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
