[cabfpub] FW: Bylaw update proposal

Ryan Sleevi sleevi at google.com
Tue Mar 24 05:21:33 UTC 2015

On Mar 23, 2015 10:09 PM, "kirk_hall at trendmicro.com" <
kirk_hall at trendmicro.com> wrote:
> That’s a question for the browsers – Browsers, what do you say?

I'm not sure why this is a question for browsers - audit scope is audit
scope. Some CAs include subordinate CAs in scope of their own audits - such
as when they control and operate the infrastructure - other CAs don't.

Mozilla Root Inclusion Policy (Sections 8 and 10) require that
unconstrained subordinate CAs be disclosed and audited. Mozilla CA
communications from May 2014 [1] affirmed this.

I would expect that all of the CAs fall in one of the two buckets, and it's
up to their issuer to decide.

>From the point of view of program operation, it does not make a difference
whether or not that subordinate is operated by a third party - have audit
and fill out the form, will travel.

[1] https://wiki.mozilla.org/CA:Communications#May_2014_Responses
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150323/ec7484e3/attachment-0003.html>

More information about the Public mailing list