On Mon, May 1, 2017 at 5:02 PM, Lee via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Maybe it's because I've worked with some incredibly bad auditors, but
> the way I read the proposal, doing anything other than one of those
> exact 10 methods is risking an audit failure.

Well, you can hopefully understand why requiring exactly those 10 methods
IS desired :)

> How would you word the policy to make it clear that while a CA is
> required to use one of those 10 methods, the CA is also allowed to do
> additional/stricter checks?

I wouldn't think it would be necessary, any more than a CA that adds
additional checks to identity validation (of which many do) doesn't require
additional details to permit it :)

The BRs define the minimum, not the absolute :)
dev-security-policy mailing list

Reply via email to