Frank Hecker wrote:
Jyrki Nivala wrote:
The problem with both RFC 3647 and ANSI X9.79 is that they don't have any requirents for the CA. E.g. RFC 3647 only " presents a framework to assist the writers of certificate policies...Further, this document does not define a specific CP or CPS. Moreover, in presenting a framework, this document should be viewed and used as a flexible tool presenting topics that should be considered of particular relevance to CPs or CPSs, and not as a rigid formula for producing CPs or CPSs."

Thanks for your comments. After reading RFC 3647 more closely I understand your point: It in effect says "the CA should describe how they do task X" (where X might be protection of signing keys), but does not necessarily say "X should be done in a way that meets requirement Y".


I guess I'll have to get a copy of X9.79 to see if it takes the same approach.

I have now acquired and read a copy of X9.79, and in fact X9.79 does have a set of real CA criteria in Appendix B, "(Normative) Certification Authority Control Objectives". I have not done a detailed comparison of X9.79 and the WebTrust for CAs criteria, but based on Appendix D of the WebTrust criteria it appears that there is a one-to-one correspondence between most if not all of the X9.79 Appendix B criteria and the WebTrust criteria.


(The wording of the criteria is slightly different in X9.79 vs. WebTrust; in X9.79 the detailed criteria are presented as straightforward "the CA shall do X" requirements, while in WebTrust the detailed criteria are often presented as "illustrative controls".)

Frank

--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto

Reply via email to