On Monday, October 30, 2017 at 2:59:31 PM UTC-7, Ryan Sleevi wrote: > > I would expect that it would be incumbent on the CABs and the CAs providing > EN 319 411-1 certificates to help the community better understand the level > of assurance provided. That is, I think those supporting the continued > recognition of ETSI should attempt to demonstrate where either the > understanding of WebTrust-based audits or EN 319 411-1 certificates is > incorrect or inaccurate. Otherwise, I think your conclusions - about no > longer recognizing such schemes - are reasonable.
I hope that CAs who rely on ETSI audits are following this discussion forum, and that they will promptly add their comments/explanation here, and ask their auditors to do the same. I've filed this issue: https://github.com/mozilla/pkipolicy/issues/105 In which I said: ~~ I think that all CAs should be held to the same level of assurance/audits. So, I think we have two choices: 1) Remove ETSI as an acceptable audit scheme. 2) The ETSI folks update their audit schemes (that Mozilla's Root Store Policy currently allows) to meet our requirements about looking backward at certificate issuance data -- period-of-time audits as described above and in our policy and the BRs. ~~ Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
