2015년 10월 29일 목요일 오전 4시 26분 21초 UTC+9, Ryan Sleevi 님의 말: > On Wed, October 28, 2015 1:55 am, [email protected] wrote: > > > > Dear Sleevi > > > > First of all, I appreciate your detailed opinios and suggestions > > > > In terms of option B (application to only be for that of your SSL/website > > CA rather than your root CA) > > All CAs in CA hierarchy (including Root CA) has to follow a government > > law. So, it's not easy to adapt > > option B in this case > > Earlier, you said "Actually, e-Signature law doesn't mention of SSL > directly", which seems to run counter to your statements here. > > It also does not appear to be strictly necessary for your SSL issuance to > be rooted in the same CA hierarchy, which was somewhat the point of Option > B. > > Put differently, you've indicated that local law does not govern the SSL > issuance, and the only reason you're in this predicament is because you've > chosen to transitively root your SSL issuance to a root that does follow > local law. Further, you've indicated that the reason your CPS is > non-conforming does not, seemingly, appear to be related to local law, but > rather the policies of the Government-operated Root, for which there does > not seem any technical necessity to root yourself in. > > As such, it's unclear why Option B is not viable. I can understand > difficult, but I do want to separate out difficulty/complexity from legal > necessity, as they have very different impacts with respect to how the > program should be operated.
Ryan I appreciate your further opinion of what I mentioned. It is right what you said. e-Government law doesn't mention about SSL. However, Root CA (Governed and controlled by government) is reluctant to build a designated SSL CPS although law is not mentioning of SSL CPS guide. Relationship between Root CA and Government is very strice, not soft. Anyway, I need your understanding of local situation. I continue to persuade Root CA to build a designated SSL CPS and fortunately, Root CA is about to making a decision of it soon. > > > If Root CA provides a > > mapping table between RFC3647 and current > > CPS for more easy review whether current CPS comply with the contents of > > RFC3647 or not, do you think is it acceptable? > > Personally, I do not think it should be acceptable, as this seems to be a > result of taking shortcuts / not fully considering the program > requirements for the recognition of your SSL CA, rather than an intrinsic > legal quandary as you have presented. > > However, it's entirely possible I've misunderstood, so I appreciate the > continued explanations to develop a shared understanding. I understand that Providing a Mapping table between RFC3647 and current CPS is not an appropriate solution. it is a plan B for us if Root CA will not decide making a SSL CPS. Thank you for your opinion again. It is very helpful to us. Minyoun _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
