Comment 227 for bug 232340

Mozilla requirements are thought for companies. CAcert.org clearly doesn't have the money or the human resources (they are all volunteers!) to write the policies (legal texts), perform a deep audit, reimplement it's software to follow all those new policies, and do the procedures related to the DPA in matter of months as companies with a much lower security level but with dedicated HR and large budget can.

http://iang.org/papers/open_audit_lisa.html
http://wiki.cacert.org/wiki/AuditToDo