On 02/13/2009 09:36 PM, Ben Bucksch:
FWIW, this is irrelevant. *We* require the ETSI. We can also require
additional requirements, like that the CPS is published.
or you have to add a new policy or practices point which says that
regardless of ETSI, the CPS must be published.
It already states:
"6. We require that all CAs whose certificates are distributed with our
software products:
...
* publicly disclose information about their policies and business
practices (e.g., in a Certificate Policy and Certification Practice
Statement);"
"14. To request that its certificate(s) be added to the default set a CA
should submit a formal request by submitting a bug report
<https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=CA%20Certificates>
into the mozilla.org Bugzilla system ...
...
* a Certificate Policy and Certification Practice Statement (or links to
a CP and CPS) /or/ equivalent disclosure document(s) for the CA or CAs
in question; /and/"
To me, that reads that the CPS (or whatever other document publishes the
practices, no matter how it's called, therefore the "equivalent"
wording) *must* be public.
Re-reading once again, I think you are right! Putting into question if
it's called CPS or otherwise is really nit-picking!
"publicly disclose information about their policies and business
practices" clearly says what it's meant to be, call it however you want.
The audit requirement makes the context also clear. It's what we
expected really.
Hence I think too that the Mozilla CA policy is clear in its
requirements in this respect.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
