On Thu, Mar 12, 2020 at 12:46 PM Sándor dr. Szőke via dev-security-policy < [email protected]> wrote:
> So according to the RFC3647 the chapter 1.5.2 shall contain the contact > person information who is responsible for the management of the CPS, > but the BR requires, that the chapter 1.5.2 shall contain the information > regarding the private key compromise. > > > What is your opinion about it? Where to put this information in the CPS? > Is the chapter 1.5.2 really the correct and expected place for it? > Yes. That is what the BRs say. These are not mutually exclusive requirements. You can place the contact person for the CP/CPS, as well as the contact person for compromises in that section, and they don't have to be the same person. The CP/CPS makes obligations of the CA, and there needs to be a way to determine how to contact the CA - for example, if the CP/CPS was not adhered to, if a Subscriber certificate is found to be violating the CP/CPS, etc. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
