On Fri, Sep 23, 2016 at 5:29 AM, Kurt Roeckx <[email protected]> wrote: > On 2016-09-23 00:57, Peter Bowen wrote: >> >> Kathleen, Gerv, Richard and m.d.s.p, >> >> In reviewing the WebTrust audit documentation submitted by various CA >> program members and organizations wishing to be members, it seems >> there is possibly some confusion on what is required by Mozilla. I >> suspect this might also span to ETSI audit documentation, but I don't >> know the ETSI process as well, so will leave it to some else to >> determine if there is confusion there. > > > So at least 1 thing I miss in those audit reports is which CAs are covered. > If you look at the CAs they disclosed, how can we be sure that the audit > actually covers that CA? I think the report should cover at least all root > and intermediate CAs that are required to be disclosed by Mozilla.
And many audit reports specify this. See the following examples from the Mozilla included CAs report. I didn't check all -- I'm sure many more have lists of in scope CAs. https://cert.webtrust.org/SealFile?seal=2032&file=pdf (in the first paragraph lists the CAs) https://cert.webtrust.org/SealFile?seal=1998&file=pdf (first paragraph lists the CA, appendix listing the CA details) https://www.certsign.ro/certsign_en/files/certSIGN_Webtrust_CA.pdf (bulleted list of CAs) https://cert.webtrust.org/SealFile?seal=2092&file=pdf (first paragraph) https://cert.webtrust.org/SealFile?seal=1944&file=pdf (Appendix listing CA details) https://cert.webtrust.org/SealFile?seal=1568&file=pdf (Appendix listing CAs) So for many reports you don't have to guess which are covered. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
