Kathleen Wilson
unread,Feb 2, 2015, 2:32:33 PM2/2/15You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to mozilla-dev-s...@lists.mozilla.org
I have been asked the following question about why both the "Principles
and Criteria for Certification Authorities 2.0” and the “SSL Baseline
Requirements Audit Criteria” are required.
== Question ==
As far as we know the principles of both standards are identical, except
for technical network security specifications “SSL Requirements Baseline
Audit Criteria” as shown in the following matrix::
WT CA 2.0 CA Principles -- WT BR SSL 2.0 Principles
P1. CA Business Practices Disclosure -- P1. Baseline Requirements
Business Practices Disclosure
P2. CA Environmental Controls -- P3. CA Environmental Security
P3. Service Integrity -- P2. Service Integrity
none -- P4. Network and Certificate Systems Security Requirements
We consider that is enough to comply with “SSL Baseline Requirements
Audit Criteria” for the certifications under the scope. Would you be so
kind to let us know the reason to ask for both standards? Based on our
understanding, this situation increases the costs of accreditation for
quality, security and reliability of WebTrust, ... in addition to cause
confusion.
Please, we would like to clarify this issue.
== END Question ==
My question: If the CA is only requesting the Websites trust bit
(non-EV), then is it sufficient for them to only get a WebTrust BR audit
statement?
Of course, if the CA is also requesting the email and code signing trust
bits, then they must have an audit statement that applies to email and
code signing certs (i.e. WebTrust BR audit statement alone is not
sufficient).
Kathleen