On Wed, Mar 8, 2017 at 6:50 AM, Ryan Sleevi <r...@sleevi.com> wrote: > > On Wed, Mar 8, 2017 at 9:23 AM, Peter Bowen wrote: > >> > Does this make it clearer the point I was trying to make, which is that >> > they're functionally equivalent - due to the fact that both DTPs and >> > sub-CAs >> > have the issue of multi-party audit scopes? >> >> I agree that you suggest an approach that is probably functionally >> equivalent, but what you describe is not how WebTrust audits work. > > > Peter, does my recent clarification help align this? I think we are in > violent agreement with respect to sub-CAs that you don't get to "pick and > choose" the principles and criteria, but for the specific case of DTPs and > their capabilities, was trying to describe how it could fit within the 'site > visit' examination, due to the inability to rely on / use third-party audits > as evidence for the basis of opinion forming.
By eliminating the DTP option, you will massively raise costs for CAs that rely upon local translators and information gatherers. I think a much better proposal would be to require the CA perform the RA activity contemplated by BR 3.2.2.4 and 3.2.2.5 and restrict DTPs to Subject Identity Information validation. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy