On Wed, Jul 24, 2024 at 3:10 PM 'Bruce Morton' via [email protected] <[email protected]> wrote: > > Claves, thank you for the question, as I re-read the blog post it seems we > could have been clearer. > > We are not yet providing certificates issued from SSL.com. Our intent was to > announce the partnership with SSL.com and communicate our plan for how we > will provide continuity to our customers for public TLS certificates after > October 31. Our next step is to do the work necessary to have this capability > in place before that time. > Our plan is to serve as an external RA, with SSL.com as the CA, as provided > for in the Baseline Requirements, section 1.3.2. Beforehand, we will complete > the required reviews and approval from SSL.com, as outlined in the BRs > section 1.3.2, 5.3.1, and 5.5.2. As part of this process, we will undergo a > WebTrust Audit for RAs. > > We are committed to operating under the CA/Browser Forum Baseline > Requirements, and completing the improvement plans we’ve communicated to this > community. We hope this demonstrates that we are approaching this arrangement > with due rigor, and our commitment to improve our compliance and incident > handling.
Several of the incidents where Entrust failed involve functions that 1.3.2 permits delegation of. I'd like to see more clarity about how these risks are managed, and what precisely is being delegated. To StartSSL: Responsibility is a unique concept. You may share it but your portion is not diminished. Sincerely, Watson Ladd -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0cky6GQ3bnoObN49A68KDWDr4fQPBwMF2kjiqwYfD3rE1w%40mail.gmail.com.
