Hello Rafa, Thank you for your reply. The background to my question was really about ensuring ongoing compliance. I believe that an initial audit to verify that no TLS certificate has ever been issued by "AC FNMT Usuarios", and a recurring annual audit to confirm that remains so, is acceptable. However, given the "AC FNMT Usuarios" is technically capable, if the audit ever comes back inconclusive or if there is ever any doubt that such an audit could detect any inadvertent issuance, the assumption should be that miss-issuance has occurred and it would be reasonable to act accordingly.
With that stipulation, I don't have any objections to the roots in question continuing the Mozilla inclusion process. Andrew On Mon, Mar 14, 2016 at 11:00 AM, <rafa...@gmail.com> wrote: > > However I still hold out some hope that the current proposal could be > workable. I'm sorry if I missed it in the thread or bug, what is the > rationale that a "AC FNMT Usuarios" doesn't require an ongoing WebTrust SSL > BRs audit? > > > Hi Andrew. > > As specified at CABForum Baseline Requirements documents, these > requirements only address certificates intended to be used for > autenticating servers accessible through Internet. > > Notice that "AC FNMT Usuarios" issues qualified certificates for natural > persons (citizens). Therefore, it can't be audited conforming BR > requirements because we don't issue SSL certs with this subCA (in fact, we > have technical configuration restrictions to prevent SSL certs issuing). > > As I mentioned, "AC FNMT Usuarios" only issues "qualified certificates" > where ETSI 101 456 audit criteria applies. Nevertheless, because this > subordinate CA don't have the EKU extension, according to > "CA:BaselineRequirements" document at mozilla wiki, "AC FNMT Usuarios" is > "in scope" and it's necessary to perform "procedures to confirm that there > are no SSL certificates". > > Best Regards, > > Rafa > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
