On Wed, Feb 14, 2018 at 10:29 AM, YairE via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > We take your recommendation and we consider generating a brand new root > with a new key pair that will run only on the new CA software – whilst > providing all the audits and needed information as requested. > We need to know for certain before we initiate such a process that doing > so would be accepted by you and Ryan, and that we could continue from this > point, rather than starting over again at the beginning of the process.
The Mozilla process does not guarantee trust as a pre-condition to taking actions. Merely, in rejecting an application, it can give the reasons why that application is rejected. Future submissions should therefore be mindful to avoid repeating the same mistakes. That does not prevent new mistakes from being made, thus new submissions should be mindful of the Baseline Requirement, the Mozilla CA Policy, and the set of community expectations and considerations that will be taken into account when evaluating whether or not to trust any new certificates. I do not believe it wise to accept this inclusion request, thus any new inclusion request should avoid these issues as part of the design and consideration - which would include ensuring that the infrastructure fully complies with the Baseline Requirements and equivalent system controls. You can always engage with an auditor or consultant to help design your system in a way to ensure compliance, both prior to generating your keys and certificate, and to ensure its continued compliance and responsiveness to industry and policy changes over time. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy