Comment 149 for bug 1271513

Hi Kathleen,

We are contacting you as we are facing the following question:

As internal consultancy service of FNMT we are surprised that besides the accreditation “SSL Baseline Requirements Audit Criteria”, FNMT was asked for "Principles and Criteria for Certification Authorities 2.0”.

As far as we know the principles of both standards are identical, except for technical network security specifications “SSL Requirements Baseline Audit Criteria” as shown in the following matrix::

WT CA 2.0 WT BR SSL 2.0
CA Principles Principles
P1. CA Business Practices Disclosure P1. Baseline Requirements Business Practices Disclosure
P2. CA Environmental Controls P3. CA Environmental Security
P3. Service Integrity P2. Service Integrity
                                             P4. Network and Certificate Systems Security Requirements

We consider that is enough to comply with “SSL Baseline Requirements Audit Criteria” for the certifications under the scope. Would you be so kind to let us know the reason to ask for both standards? Based on our understanding, this situation increases the costs of accreditation for quality, security and reliability of WebTrust, ... in addition to cause confusion.

Please, we would like to clarify this issue.

Best regards