Kathleen Wilson
未讀,2015年2月2日 下午2:32:332015/2/2你的權限不足,無法在這個群組刪除訊息
該群組的電子郵件地址為匿名,或你需要檢視成員電子郵件地址的權限才能查看原始貼文
收件者:mozilla-dev-s...@lists.mozilla.org
I have been asked the following question about why both the "Principles
and Criteria for Certification Authorities 2.0” and the “SSL Baseline
Requirements Audit Criteria” are required.
== Question ==
As far as we know the principles of both standards are identical, except
for technical network security specifications “SSL Requirements Baseline
Audit Criteria” as shown in the following matrix::
WT CA 2.0 CA Principles -- WT BR SSL 2.0 Principles
P1. CA Business Practices Disclosure -- P1. Baseline Requirements
Business Practices Disclosure
P2. CA Environmental Controls -- P3. CA Environmental Security
P3. Service Integrity -- P2. Service Integrity
none -- P4. Network and Certificate Systems Security Requirements
We consider that is enough to comply with “SSL Baseline Requirements
Audit Criteria” for the certifications under the scope. Would you be so
kind to let us know the reason to ask for both standards? Based on our
understanding, this situation increases the costs of accreditation for
quality, security and reliability of WebTrust, ... in addition to cause
confusion.
Please, we would like to clarify this issue.
== END Question ==
My question: If the CA is only requesting the Websites trust bit
(non-EV), then is it sufficient for them to only get a WebTrust BR audit
statement?
Of course, if the CA is also requesting the email and code signing trust
bits, then they must have an audit statement that applies to email and
code signing certs (i.e. WebTrust BR audit statement alone is not
sufficient).
Kathleen