On Thursday, August 4, 2016 at 10:51:58 AM UTC-7, Kathleen Wilson wrote: > > The CA has resolved the questions and concerns raised during the first > discussion, and has provided an updated root certificate with corresponding > updated documentation and audit statement. > > Please review this request from LuxTrust to include the "LuxTrust Global Root > 2" certificate, turn on the Websites trust bit, and enable EV treatment. > > The request is documented in the following bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=944783 > > Summary of Information Gathered and Verified: > https://bugzilla.mozilla.org/attachment.cgi?id=8777892 > > This root signs internally-operated subordinate CAs that issue SSL and code > signing certificates. > > Documents are in French and English. > CA Document Repository: https://repository.luxtrust.lu > CP: > https://www.luxtrust.lu/upload/data/repository/LuxTrust%20Global%20Root%20CA%20-%20Certificate%20Profiles%20v1%2022.pdf > CPS: > https://www.luxtrust.lu/upload/data/repository/LuxTrust_Global_Root%20CA_Certification_Practice_Statements_v1_09.pdf > SSL CPS: SSL CPS: > https://www.luxtrust.lu/upload/data/repository/LuxTrust%20SSL%20CA%20CPS%20v1.3.pdf > > SSL CPS section 3.2.2: In the particular case of SSL, RAs operating under the > LuxTrust SSL CA shall determine whether the domain referenced in the SSL > Certificate application is owned and controlled by the subscriber. > LuxTrust validates that the Subscriber has the right to control the domain > names using the following verification procedures: > [1] Communicating with the technical contact information provided by the > Subscriber in the order form. > [2] Communicating directly with the Domain Name Registrant using the contact > information listed in the WHOIS record’s “registrant”, “technical”, or > “administrative” field; > [3] Relying upon a Domain Authorization Document which contains the signature > of an authorized representative of the domain holder, a date that is on or > after the certificate request and a statement confirming the Subscriber’s > control over the domain names in the certificate. LuxTrust also relies on a > reliable third-party, the Chamber of Commerce of Luxembourg, to confirm the > authenticity of the Domain Authorization Document. > > Root Certificate Download URL: > https://ca.luxtrust.lu/LTGRCA2.crt > > Test Website: https://ltsslca5.trustme.lu/ > > EV Policy OID: 1.3.171.1.1.10.5.2 > > CRL: > http://crl.luxtrust.lu/LTGRCA2.crl > http://crl.luxtrust.lu/LTSSLCA5.crl > SSL CPS section 4.9.7: A CRL is issued each 4 hours, at an agreed time. > > OCSP: > http://ssl.ocsp.luxtrust.lu > http://ltgroot.ocsp.luxtrust.lu > > Annual audits are performed by LSTI, according to the ETSI TS 102 042 > criteria. > Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8777887 > http://www.lsti-certification.fr/images/liste_entreprise/Liste%20PSCe.pdf > > This continues the discussion of the request from LuxTrust to include the > "LuxTrust Global Root 2" certificate, turn on the Websites trust bit, and > enable EV treatment. At the conclusion of this discussion I will provide a > summary of issues noted and action items. If there are outstanding issues, > then additional discussion may be needed as follow-up. If there are no > outstanding issues, then I will recommend approval of this request in the bug. > > Kathleen
Does anyone have comments, questions, or concerns about this request from LuxTrust to include the "LuxTrust Global Root 2" certificate, turn on the Websites trust bit, and enable EV treatment? If not, I will close this discussion and recommend approval in the bug. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
