Comment 156 for bug 1271513

(In reply to Kathleen Wilson from comment #137)
> Thank you for the clarification.
>
> Here's the current status of this request...
>
> Needed to complete the Information Verification phase:
> https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
>
> 1) Audit statement (e.g. WebTrust for CA or ETSI 102 042) that covers SSL
> and Code Signing certs
>
> 2) BR Commitment to Comply in CP/CPS

Dear Kathleen,

Regarding the audit statement, we strongly believe that there are major overlaps between the “WebTrust Principles and Criteria for Certification Authorities Version 2.0” and the “WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2.0” and such issue should be clarified in the Mozilla CA Certificate Policy. We understand that under the Mozilla’s own criteria, both document's requirements must be satisfied. However, we think this is not the most efficient way to handle it because of the extra cost and time that CA's management need to budget to engage duplicate reporting of the same controls. We kindly ask you for some clarification of this situation to the industry, CPA Canada and users, because we did not find any reference about it and many of us have serious doubts in that respect.

Having said this, we have developed a compliance matrix (CA + SSL BR) for this client and indeed all the requirements have been satisfied and we have evidences about this assertion. Please let us know how to go ahead.

We remain at your disposal for any further clarification concerning this topic.

Best regards.