On 18/01/2017 16:20, Gervase Markham wrote:
On 17/01/17 23:27, Jakob Bohm wrote:
Notes on the text in that branched section (other than the actual
change discussed here):
This paranthesis indicates none of these are in scope for this
particular issue, just something that might be their own issues,
either already pending or interesting to queue up later.
- It does not include some other changes under discussion (such as the
new version of the BRs). This may need to be manually reapplied after
merging in the movement of text from the inclusion to the audit
section.
The magic of git :-)
OK, didn't know git could handle the lines moved and changed case
(other than by possibly punting to the user due to removed lines not
matching).
- There is no clause that can formally cover the recent decision by
Mozilla to disqualify a specific auditor in Hong Kong. E.g. something
along the lines that Mozilla may publicly announce at /url/ that
certain parties that match these criteria will not be trusted for
reasons there stated.
Inclusion policy bullet 16, together with bullets 13 and 14, together
make it clear that the decision about whether to accept audits from a
particular auditor rests with Mozilla.
I found the language in the moved/new audit section to suggest that CAs
really wouldn't have a reason to ask Mozilla before choosing a major
name brand WebTrust auditor such as the one in question. Also, there
is the question if any existing CAs (other than the misaudited one)
already use that same distrusted auditor.
- There is no set of non-ETSI audit criteria for e-mail certificates as
trusted by Mozilla Thunderbird.
Do you have some to propose?
No, but I seem to recall someone else made a closely related suggestion
in an earlier thread (not sure which one).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
