On 10/28/2013 12:06 PM, Kathleen Wilson wrote: > https://wiki.mozilla.org/CA:How_to_apply#Creation_and_submission_of_the_root_CA_certificate_inclusion_request > "An official representative of the CA must submit and/or participate in > the root inclusion request. According to Mozilla's CA Certificate > Inclusion Policy: "To request that its certificate(s) be added to the > default set a CA should submit a formal request by submitting a bug > report into the mozilla.org Bugzilla system ... The request must be made > by an authorized representative of the subject CA..." If the CA > contracts to another organization to help with the root inclusion > request, the representative of the CA must clarify that relationship in > the bug, and must provide clear information about who the ongoing > points-of-contact will be for the CA. > > > Perhaps a step should be added to the information verification phase to > verify the authority of the representative of the CA. > (https://wiki.mozilla.org/CA:How_to_apply#Information_Verification) > > Should we specify and define different types of CA representatives? > e.g. technical contact, administrative contact, consultant, etc. > > What steps do you think would be reasonable and sufficient to confirm > that the CA representative has the authority to act in that capacity? > > > Kathleen
Generally, authoritative confirmation that someone represents a corporation consists of a letter on corporation letterhead and signed by an executive officer or board chairman of the corporation. This requires that the letter be sent via a postal service and not via E-mail. Given the high need for trust of NSS and root certificates, it would not be unreasonable to require such letters to be notarized by outside, independent notaries. It might also be reasonable to research the roster of the corporation's executives and to contact the purported signer of the letter (or that person's superior) to verify that he or she did indeed sign the letter. I know this all seems very legalistic. Some of this is based on my recent experience (still ongoing) in attempting to settle my deceased son's estate. Faxes, phone calls, and E-mails are not sufficient documentation. Even copies are often insufficient; in many cases, only originals with raised seals are acceptable. (At a cost of $50US for a certified original copy of a court document, I must always request that the original be returned.) All this involves an estate of less than $100,000US. What is reasonable when SSL is used for transactions adding to millions of dollars? -- David E. Ross <http://www.rossde.com/> Where does your elected official stand? Which politicians refuse to tell us where they stand? See the non-partisan Project Vote Smart at <http://votesmart.org/>. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
