This is one of the issues with a WebTrust audit in that WebTrust Auditors may not look at a CP/CPS depending on the management assertion. The trust in PKI is based on documented procedures so to not operate against a CP/CPS degrades the trust in PKI. The US Federal PKI have run into a similar issue where trust in Federal PKI is based on assurance strength of the certificate policies in a CP/CPS. The audit must verify a CA is following its operational practices to maintain that trust. This model only works if the validation is by a certificate policy and not simple path validation.
If this was added to the Mozilla CP, how would it be enforced and verified? The WebTrust letter would say it explicitly?
What are your pro/cons?
Date: Wed, 23 Nov 2016 10:47:06 +0000
From: Gervase Markham <
ge...@mozilla.org>
To:
mozilla-dev-s...@lists.mozilla.org
Subject: Re: Let's Encrypt Blocklist Incident, November 21 2016
Message-ID: <
XuadnTBSnNk37qjF...@mozilla.org>
Content-Type: text/plain; charset=utf-8
NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.