On 01/05/17 18:53, Lee wrote:
> You seem to be replacing a "meets or exceeds" requirement with a
> "strictly meets" requirement.

That is not particularly the intention. I think that the Baseline nature
of the Baseline Requirements means that CAs know it's generally OK to go
above and beyond what it requires.

> In other words, make it clear to an auditor that while the CA must
> meet the baseline requirements, it's not an audit failure if they go
> above & beyond the minimum requirements of domain validation.

Well, CAs are not audited to the Mozilla Policy, they are audited to the
BRs. :-)

dev-security-policy mailing list

Reply via email to