If your CA is audited according ETSI 319 401, there is a clear obligation for a 
CA (aka TSP) "to issue to those meeting the qualifications specified" 

* REQ-7.1.1-02: Trust service practices under which the TSP operates shall be 
* REQ-7.1.1-03: The TSP should make its services accessible to all applicants 
whose activities fall within its declared field of operation and that agree to 
abide by their obligations as specified in the TSP's terms and conditions.

I don't know, if WebTrust has a similar requirement.

From: Matthew Hardeman via dev-security-policy
> Perhaps it should be the broader question of both issuance policy and 
> revocation?
> For example, guidelines denote what issuance is permissible but 
> nowhere in the BR policies (or in any of the root programs as far as 
> I'm aware) is an affirmative obligation to issue to those meeting the 
> qualifications specified.
> On Thu, Apr 12, 2018 at 3:46 PM, Wayne Thayer via dev-security-policy < 
> dev-security-policy@lists.mozilla.org> wrote:
> > Eric raised an issue distinct from 'the value of EV' that I think is
> > important: Can certificate revocation be used as a form of censorship? 
> > As HTTPS becomes the default state of the web, it becomes more 
> > important to consider this issue and what should be done about it. I 
> > plan to discuss this with others at Mozilla, and I welcome more 
> > discussion here on the topic (perhaps in a new thread).
> >
> > - Wayne

With best regards,
Rufus Buschart

Siemens AG
GS IT HR 7 4
Hugo-Junkers-Str. 9
90411 Nuernberg, Germany
Tel.: +49 1522 2894134

dev-security-policy mailing list

Reply via email to