Dear all, 
just a short note on that with regard to auditing and Audit Attestations based 
upon ETSI: throughout the audit we check the incidents of the current audit 
period as documented by the CA (have they been addressed at a sufficient level, 
have the measures taken proven that they are sufficient in depth and coverage, 
etc.). We are going to write a finding in case incidents seem to be not or not 
fully covered. We do have a corresponding section 7.9 in ETSI EN 319 401 
dealing with that.   
Furthermore we agreed with the browsers to have a specific section in the Audit 
Attestation: any buzilla bugs reported in the audit period are going to be 
listed in the Attestation including their status (closed, open/reason).

Hence, from my perspective we would not really need an additional requirement 
in the Mozilla policy for that. And please let's keep in mind that the best way 
to treat such things is to add them to a CA/B Forum requirements document 
rather than to a browsers root store policy as that affects only CAs being part 
of that Root Store rather than the whole community.

dev-security-policy mailing list

Reply via email to