Gervase Markham wrote: > Frank Hecker wrote: <snip> >> My initial conclusion is that we don't need to reference the WebTrust >> draft document, but can confine ourselves to referencing the relevant >> section(s) of the guidelines. > > Without an audit, how do we assure compliance?
I wasn't implying that we would require an audit; see below. > It seems to me that it makes sense to leverage that, by saying that our > criteria for EV enablement is a passed WebTrust EV Audit. But that's being more specific than what the guidelines actually say. (This is relevant to Eddy's point as well.) Let's suppose we have language like the following (note that this is *not* proposed draft language at this point, it's just me thinking out loud): In order for its root CA certificate to be marked as EV-capable, the CA must comply with the "Guidelines for the Issuance and Management of Extended Validation Certificates, Version 1.0" as published by the CAB Forum. Inherent in that compliance is compliance to section 4(a)(3) of the guidelines: (3) Comply with the requirements of (i) the then-current WebTrust Program for CAs, and (ii) the then-current WebTrust EV Program, or an equivalent for both (i) and (ii) as approved by the CA/Browser Forum; as well as compliance to section 35 of the guidelines, which has similar language but goes into more detail. So I think the requirement for an audit is inherent in the requirement for compliance with the guidelines. If we wanted to emphasize the audit requirement, we could say something like ... CA must comply with the "Guidelines for the Issuance and Management of Extended Validation Certificates, Version 1.0", including the requirements of section 35, "Audit Requirements". The above is why I don't think we need to reference the WebTrust document specifically. Your thoughts? Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
