On Saturday, April 22, 2017 at 5:25:35 AM UTC-7,
wangs...@gmail.com wrote:
> We have a question about completing the BR self assessment,
> is it necessary that all the BRs requirements appear in
> relevant sections of the CP/CPS?
It is OK if the information is in different sections in the CP/CPS, just be sure to indicate which sections of the CP/CPS the information is in.
> Or for some BRs requirements that are not specifically
> disclosed in the CP/CPS, CAs can explain their rules and
> practices to show that they meet or exceed these requirements?
Per section 3.3 Mozilla's CA Certificate Policy:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
"We rely on publicly disclosed documentation (e.g., in a Certificate Policy and Certification Practice Statement) to ascertain that our requirements are met."
So, for the most part, the information must be available in publicly disclosed documentation that is available on the CA's website. And in the BR Self Assessment you need to clearly indicate which document and which section of the document shows that your CA meets the BR.
There are items, such as the three test websites, that we can verify directly, so those items do not need to be in the CP/CPS documents.
When you are doing your BR Self Assessment, if you find that the required information is not currently in your CP/CPS documents, then you may indicate what your CA currently does, how it is currently documented, that the next version of your CP/CPS will contain this information, and when the next version of your CP/CPS will be available.
Kathleen