On 9/21/15 7:07 PM, Kathleen Wilson wrote:
In https://wiki.mozilla.org/CA:CertificatePolicyV2.3
The proposal is:
(D27) Clarify which audit criteria are required depending on which trust
bits are set. In particular, root certs with only the S/MIME trust bit
set will have different audit criteria requirements than root certs with
the Websites trust bit set.
First, we need to determine if the Email trust bit should remain part of
Mozilla's CA Certificate Policy.
I am of the opinion that we should leave the Email trust bit as-is for
this next version of Mozilla's CA Certificate Policy, as stated here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/ORqkOowGw8M/VIlMJyt8BQAJ
Therefore, I also propose that we don't separate out the audit criteria
according to trust bit in version 2.3 of the policy. Rather, the
separation will be part of another effort to create a separate S/MIME
policy in 2016.
This means that the following audit criteria will continue to be
considered acceptable for root certificates with only the Email trust
bit enabled:
- ETSI TS 101 456
- ETSI TS 102 042 (and the replacement)
- WebTrust for CA
And, as currently stated in the policy, ETSI TS 101 456 may not be used
if the Websites trust bit is enabled.
Here is some data about the root certs currently included in our program.
===
CAs that *only* have included root certificates with only the S/MIME
trust bit enabled; i.e. do *not* also have included root certs with the
Websites trust bit enabled:
- Certicámara S.A. – stopped issuing SSL certs from their included root
cert, so had Websites trust bit removed after the last SSL cert expired
(Firefox 32). Still issuing personal certs under this root.
Audit Criteria: WebTrust for CA
- ComSign
Audit Criteria: ETSI TS 101 456
- Deutscher Sparkassen Verlag GmbH (S-TRUST, DSV-Gruppe)
Audit Criteria: ETSI TS 102 042
(Recently acquired the “TC TrustCenter Class 3 CA II”, for which the
Websites trust bit was turned off in Firefox 38.)
===
CAs that have included root certs with only the S/MIME trust bit
enabled, and also have included root certs with the Websites trust bit
enabled:
- Comodo
Audit Criteria: WebTrust for CA
- IdenTrust
Audit Criteria: WebTrust for CA
- Netlock
Audit Criteria: ETSI TS 102 042
- SwissSign AG
Audit Criteria: ETSI TS 102 042
- Symantec
Audit Criteria: WebTrust for CA
- TeliaSonera
Audit Criteria: WebTrust for CA
===
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
