It has been brought to my attention that the proposed item #11 in
is insufficient, and that we need to explicitly list where Mozilla's CA
Certificate Policy overrides the CAB Forum BRs.
How about the following instead?
"11. CA operations and issuance of certificates to be used for
SSL-enabled servers must also conform to the current version of the
CA/Browser Forum Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates. In the event of inconsistency between
Mozilla's CA Certificate Policy requirements and the Baseline
Requirements, Mozilla's CA Certificate Policy takes precedence. The
items listed below will be accepted as reason for not following the
Baseline Requirements. If you find an inconsistency that is not listed
here, notify Mozilla by sending email to certifica...@mozilla.org so the
item can be considered.
- Mozilla's CA Certificate Policy defining a competent and independent
auditor takes precedence over BR 17.6, Auditor Qualifications.
- Name Constraints does not need to be marked as critical.
Is this new text clear?
Are there other inconsistencies between the CAB Forum BRs and Mozilla's
CA Certificate Policy that we should include in this list?