[cabfpub] FW: Bylaw update proposal
sleevi at google.com
Tue Mar 24 08:39:56 MST 2015
On Mar 23, 2015 10:29 PM, "Peter Bowen" <pzbowen at gmail.com> wrote:
> On Mon, Mar 23, 2015 at 10:21 PM, Ryan Sleevi <sleevi at google.com> wrote:
> > On Mar 23, 2015 10:09 PM, "kirk_hall at trendmicro.com"
> > <kirk_hall at trendmicro.com> wrote:
> >> That’s a question for the browsers – Browsers, what do you say?
> > I'm not sure why this is a question for browsers - audit scope is audit
> > scope. Some CAs include subordinate CAs in scope of their own audits -
> > as when they control and operate the infrastructure - other CAs don't.
> > Mozilla Root Inclusion Policy (Sections 8 and 10) require that
> > subordinate CAs be disclosed and audited. Mozilla CA communications from
> > 2014  affirmed this.
> > I would expect that all of the CAs fall in one of the two buckets, and
> > up to their issuer to decide.
> > From the point of view of program operation, it does not make a
> > whether or not that subordinate is operated by a third party - have audit
> > and fill out the form, will travel.
> Here are two examples of CAs that are not Root CAs in any browser, and
> have issued multiple certificates according to CT logs:
> Unisys: http://uispki.unisys.com/rep/ (Current WebTrust for CA and BR
> linked at the bottom of the page)
> SSL.com: https://secure.comodo.com/products/publiclyDisclosedSubCACerts
> - serial 1100C5BF2758C19969FC68ED729DFCD7 (Audit info at top of page)
> (apologies for picking on both of these, but they were easy to find)
> Both are welcome to join and vote?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public