On Wed, Feb 14, 2018 at 10:29 AM, YairE via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> We take your recommendation and we consider generating a brand new root
> with a new key pair that will run only on the new CA software – whilst
> providing all the audits and needed information as requested.
> We need to know for certain before we initiate such a process that doing
> so would be accepted by you and Ryan, and that we could continue from this
> point, rather than starting over again at the beginning of the process.

The Mozilla process does not guarantee trust as a pre-condition to taking
actions. Merely, in rejecting an application, it can give the reasons why
that application is rejected. Future submissions should therefore be
mindful to avoid repeating the same mistakes. That does not prevent new
mistakes from being made, thus new submissions should be mindful of the
Baseline Requirement, the Mozilla CA Policy, and the set of community
expectations and considerations that will be taken into account when
evaluating whether or not to trust any new certificates.

I do not believe it wise to accept this inclusion request, thus any new
inclusion request should avoid these issues as part of the design and
consideration - which would include ensuring that the infrastructure fully
complies with the Baseline Requirements and equivalent system controls. You
can always engage with an auditor or consultant to help design your system
in a way to ensure compliance, both prior to generating your keys and
certificate, and to ensure its continued compliance and responsiveness to
industry and policy changes over time.
dev-security-policy mailing list

Reply via email to