On 02/09/2009 08:44 PM, kathleen95...@yahoo.com:
This begins the one-week discussion period. After that week, I will
provide a summary of issues noted and action items. If there are no
outstanding issues, then this request can be approved for inclusion.
If there are outstanding issues or action i
kathleen95...@yahoo.com wrote:
The summary of the action items resulting from this first public
discussion is as follows.
A publicly available document that is evaluated as part of the annual
audit needs to be provided, and it must include information that
satisfies section 7, parts a, b, and c
On 02/13/2009 11:46 AM, Ian G:
Don't fixate on the title. CAs generally have some set of documents that
are internal / not published, and some set of documents that are
published. If someone like the WebTrust people come along and say "CPS
must be published" then the CPS gets thinner and some oth
>Seems to me that this is another case where we're having problems
>because we're using a term ("CPS") which is widely understood, but
>for which more than one meaning exists. As long as we continue to
>use it without defining it, we will have problems of people seeming
>to agree, but having diffe
On 02/13/2009 10:47 PM, Nelson B Bolyard:
Is that a way forward?
Whatever it's called, it must be *the* document which was the base for
the auditor as well. There is no substitute to it really.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.s
Ian G wrote, On 2009-02-13 01:46:
> Don't fixate on the title. CAs generally have some set of documents
> that are internal / not published, and some set of documents that are
> published. If someone like the WebTrust people come along and say "CPS
> must be published" then the CPS gets thinne
The summary of the action items resulting from this first public
discussion is as follows.
A publicly available document that is evaluated as part of the annual
audit needs to be provided, and it must include information that
satisfies section 7, parts a, b, and c of the Mozilla CA Certificate
Pol
On 13.02.2009 20:37, kathleen95...@yahoo.com wrote:
Certigna’s CPS contains sensitive information that cannot be posted
publicly at this time. As such, the following possible solutions are
recommended:
1) Publish a version of the CPS with the confidential material
redacted.
Yeah, that's fin
On 02/13/2009 09:36 PM, Ben Bucksch:
FWIW, this is irrelevant. *We* require the ETSI. We can also require
additional requirements, like that the CPS is published.
or you have to add a new policy or practices point which says that
regardless of ETSI, the CPS must be published.
It already stat
On 02/13/2009 09:37 PM, kathleen95...@yahoo.com:
The summary of the action items resulting from this first public
discussion is as follows.
A publicly available document that is evaluated as part of the annual
audit needs to be provided, and it must include information that
satisfies section 7,
The summary of the action items resulting from this first public
discussion is as follows.
A publicly available document that is evaluated as part of the annual
audit needs to be provided, and it must include information that
satisfies section 7, parts a, b, and c of the Mozilla CA Certificate
Pol
On 13.02.2009 16:56, Ian G wrote:
But it isn't me that sets the criteria, it is in this case ETSI, and
the *policy* clearly says that ETSI is acceptable, and apparently ETSI
say non-publication is ok.
FWIW, this is irrelevant. *We* require the ETSI. We can also require
additional requirements
On 02/13/2009 05:56 PM, Ian G:
But it isn't me that sets the criteria, it is in this case ETSI, and the
*policy* clearly says that ETSI is acceptable, and apparently ETSI say
non-publication is ok. So you either have to take it up with ETSI (good
luck) or you have to add a new policy or practices
On 02/13/2009 11:19 AM, Ian G:
1. * All documents supplied as evidence should be publicly available and
must be addressed in any audit.
2. * Any substantial ommissions submitted afterwards may need to be
confirmed by auditor, at Mozilla's discretion.
Keeping replies short, #1 and #2 sound fine
On 13/2/09 16:15, Ben Bucksch wrote:
For reference, Ian added, and Eddy reverted:
(old text)
The CP/CPS should be publicly available from the CA's official web site
(added text)
(we rely on public documents only).
If you do not publish the CP/CPS (not recommended), you will need to
publish an e
On 12.02.2009 20:11, Ian G wrote:
On 11/2/09 21:26, Eddy Nigg wrote:
On 02/11/2009 06:43 PM, Ian G:
OK, I made some changes on the wiki
For reference, Ian added, and Eddy reverted:
(old text)
The CP/CPS should be publicly available from the CA's official web site
(added text)
(we re
On 13.02.2009 16:15, Ben Bucksch wrote:
Ian, I also disagree with your change. CPS IMHO must be public,
period. It's important for "Relying parties". The CPS is the only
thing that shows what the CA actually does and warrants to relying
parties.
Even more so must the "recommended practices" be
At 7:58 PM -0800 2/12/09, Nelson B Bolyard wrote:
>Recently, a CA that uses partitioned CRLs applied to admission to
>the Mozilla/NSS root CA list. Our choices appear to be:
>
>1) Do not admit their root until support for partitioned CRLs is done.
>(There is no active plan of record to do that wor
On Feb 13, 11:58 am, Nelson B Bolyard wrote:
> Michael Ströder wrote, On 2009-02-10 00:27:
>
> > Nelson B Bolyard wrote:
> >> This is probably a policy question, but: are we willing to accept CAs
> >> that use CRLs that we cannot parse?
>
> > I'd say no.
>
> >> Does this CA also implement OCSP? C
On 12/2/09 20:46, Eddy Nigg wrote:
On 02/12/2009 09:04 PM, Ian G:
Eddy, you change your tune so fast you must be salsa dancer ...
I don't think so. I wondered if we need a list of 20 items in order to
clarify what a CA should provide in terms of audited documents. As I
already said, many times
On 13/2/09 00:22, Eddy Nigg wrote:
On 02/12/2009 09:11 PM, Ian G:
Once the CA desk decides that is how it is, after consultation, that's
how it is. Frank held the line against requiring publication, and I for
one will support that against the steamrolling.
But there were calls made by David
21 matches
Mail list logo
