On 19/05/17 14:26, Kurt Roeckx wrote: > I'm wondering why something like this should be in the Mozilla policy > and not be part of something else that they get audited for.
Section 6.5.1 of the BRs states: "The CA SHALL enforce multi‐factor authentication for all accounts capable of directly causing certificate issuance." I'm not sure whether that came from the Mozilla policy or vice versa, but it appeared in the Mozilla policy in version 2.1, and was communicated as a requirement in a CA Communication in September 2011, in response to DigiNotar. It was also in draft 34 of the BRs, written in May 2011. So it may be we got it from them. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
