The CABF BR section 2.2. PUBLICATION OF INFORMATION contains the following requirement:
The Certificate Policy and/or Certification Practice Statement MUST be structured in accordance with RFC 3647 and MUST include all material required by RFC 3647. The CABF BR section 4.9.3. Procedure for Revocation Request contains the following requirement: ... The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificates. The CA SHALL publicly disclose the instructions through a readily accessible online means and in section 1.5.2 of their CPS. According to RFC3647 chapter 6 which defines the detailed structure of the CP and CPS documents, the capter 1.5 shall contain the policy administration information as follows: 1.5 Policy administration 1.5.1 Organization administering the document 1.5.2 Contact person 1.5.3 Person determining CPS suitability for the policy 1.5.4 CPS approval procedures So according to the RFC3647 the chapter 1.5.2 shall contain the contact person information who is responsible for the management of the CPS, but the BR requires, that the chapter 1.5.2 shall contain the information regarding the private key compromise. What is your opinion about it? Where to put this information in the CPS? Is the chapter 1.5.2 really the correct and expected place for it? Presently we have this information in the section 4.9.3 in our CPS. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
