On Mon, May 1, 2017 at 5:02 PM, Lee via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Maybe it's because I've worked with some incredibly bad auditors, but > the way I read the proposal, doing anything other than one of those > exact 10 methods is risking an audit failure. >
Well, you can hopefully understand why requiring exactly those 10 methods IS desired :) > How would you word the policy to make it clear that while a CA is > required to use one of those 10 methods, the CA is also allowed to do > additional/stricter checks? I wouldn't think it would be necessary, any more than a CA that adds additional checks to identity validation (of which many do) doesn't require additional details to permit it :) The BRs define the minimum, not the absolute :) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
