Richard, That's great, but the system that passed the full security audit cannot meet the BRs, you would have to change that system to meet the BRs, and then that new system would no longer be what was audited.
I would encourage you to address the items in the order that Mozilla posed them - such as first systematically identifying and addressing the flaws you've found, and then working with a qualified auditor to demonstrate both remediation and that the resulting system is BR compliant. And then perform the security audit. This helps ensure your end result is most aligned with the desired state - and provides the public the necessary assurances that WoSign, and their management, understand what's required of a publicly trusted CA. On Wed, Jul 12, 2017 at 10:24 PM, Richard Wang <[email protected]> wrote: > Hi Ryan, > > We got confirmation from Cure 53 that new system passed the full security > audit. Please contact Cure 53 directly to verify this, thanks. > > We don't start the BR audit now. > > Best Regards, > > Richard > > On 12 Jul 2017, at 22:09, Ryan Sleevi <[email protected]> wrote: > > > > On Tue, Jul 11, 2017 at 8:18 PM, Richard Wang <[email protected]> wrote: > >> Hi all, >> >> Your reported BR issues is from StartCom, not WoSign, we don't use the >> new system to issue any certificate now since the new root is not generated. >> PLEASE DO NOT mix it, thanks. >> >> Best Regards, >> >> Richard >> > > No, the BR non-compliance is demonstrated from the report provided to > browsers - that is, the full report associated with this thread. > > That is, as currently implemented, the infrastructure for the new roots > would not be able to receive an unqualified audit. Further system work is > necessary, and that work is significant enough that it will affect the > conclusions from the report. > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
