2020. március 12., csütörtök 18:16:54 UTC+1 időpontban Ryan Sleevi a következőt írta: > On Thu, Mar 12, 2020 at 12:46 PM Sándor dr. Szőke via dev-security-policy < > > > So according to the RFC3647 the chapter 1.5.2 shall contain the contact > > person information who is responsible for the management of the CPS, > > but the BR requires, that the chapter 1.5.2 shall contain the information > > regarding the private key compromise. > > > > > > What is your opinion about it? Where to put this information in the CPS? > > Is the chapter 1.5.2 really the correct and expected place for it? > > > > Yes. That is what the BRs say. > > These are not mutually exclusive requirements. You can place the contact > person for the CP/CPS, as well as the contact person for compromises in > that section, and they don't have to be the same person. > > The CP/CPS makes obligations of the CA, and there needs to be a way to > determine how to contact the CA - for example, if the CP/CPS was not > adhered to, if a Subscriber certificate is found to be violating the > CP/CPS, etc.
Thanks for the clarification. The RFC 3647 doesn't specify any specific place for this information, so we will move it from the section 4.9.3 to the section 1.5.2 into a subchapter in our CPS. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
