On 12/05/2017 15:21, Gervase Markham wrote:
> Mozilla policy requires that certificates issued in contravention of a
> CA's CP/CPS should be revoked. Other than that, Mozilla policy does not
> directly require that a CA operate in accordance with its CP and CPS. We
> require this indirectly because the audits that we require, require it.
> This perhaps surprising omission was brought to light by the Let's
> Encrypt blocklist incident. Discussion:
>
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/_pSjsrZrTWY
>
> The proposal is to have Mozilla policy directly require that CAs operate
> in accordance with the appropriate CP/CPS for the root(s) in our store
> on an ongoing basis.
>
> Specifically, we could add text to the top of section 5.2 ("Forbidden
> and Required Practices"):
>
> "CA operations MUST at all times be in accordance with the applicable CP
> and CPS."
>
Perhaps tweak the wording to make the document submitted to the CCADB
binding, rather than any CP/CPS published elsewhere.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.
https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct
+45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded