On 2016-09-23 00:57, Peter Bowen wrote:
Kathleen, Gerv, Richard and m.d.s.p,
In reviewing the WebTrust audit documentation submitted by various CA
program members and organizations wishing to be members, it seems
there is possibly some confusion on what is required by Mozilla. I
suspect this might also span to ETSI audit documentation, but I don't
know the ETSI process as well, so will leave it to some else to
determine if there is confusion there.
So at least 1 thing I miss in those audit reports is which CAs are
covered. If you look at the CAs they disclosed, how can we be sure that
the audit actually covers that CA? I think the report should cover at
least all root and intermediate CAs that are required to be disclosed by
Mozilla.
Kurt
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
