On Sun, Dec 10, 2017 at 9:15 AM, YairE via dev-security-policy < [email protected]> wrote:
> Thank you for your notes, > Here are the answers to your points. > > all the "bad" points about the CPS were addressed: > Both CPS's are now changed to ver 4.1 > Looks good, thank you. section 1 states that we are addressing the latest BR > I am not convinced that section 1 of your CPS meets the requirements set forth in BR 2.2. Your CPS states: Comsign will develop, implement, enforce, and annually update these Procedures in accordance with the requirements of the Law, the latest requirements of the CA/Browser forum and any other relevant practices and requirements. The BRs state that you 'must include a link to the official version of these Requirements'. Also, your CPS says that you will annually update your procedures, while the BRs require the CA to commit to comply with the latest public version at all times. 3.2.2.4 was corrected > My concern about delegated third parties was addressed (thank you), but my concern about homograph spoofing was not. Also, my final point about the audit report covering the period from 2014-10-26 to 2015-04-27 was not addressed. > i'm also attaching the new CPS'es so you can review them > > About the "creative commons license" it is indeed not listed and therefore > according to Mozilla policy 3.3 will automatically be treated as CC-BY-ND > 4.0. > I'm also attaching the audit for October 2014 as requested and recent > audits who include the intermediate certificates. > > I do not think this is the intent of the policy, but I agree that this is allowed. I've added an issue [1] to consider updating this requirement in the next version of the policy. [1] https://github.com/mozilla/pkipolicy/issues/110 > > Link to all the attachments: > > https://drive.google.com/open?id=1VzrWqouZeda5bQkyhdboO_KvfBo9QV17 > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
