Dear all, just a short note on that with regard to auditing and Audit Attestations based upon ETSI: throughout the audit we check the incidents of the current audit period as documented by the CA (have they been addressed at a sufficient level, have the measures taken proven that they are sufficient in depth and coverage, etc.). We are going to write a finding in case incidents seem to be not or not fully covered. We do have a corresponding section 7.9 in ETSI EN 319 401 dealing with that. Furthermore we agreed with the browsers to have a specific section in the Audit Attestation: any buzilla bugs reported in the audit period are going to be listed in the Attestation including their status (closed, open/reason).
Hence, from my perspective we would not really need an additional requirement in the Mozilla policy for that. And please let's keep in mind that the best way to treat such things is to add them to a CA/B Forum requirements document rather than to a browsers root store policy as that affects only CAs being part of that Root Store rather than the whole community. Clemens _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy