Am 2013-12-11 01:08, schrieb Kathleen Wilson: > Constrain the currently-included IGC/A root certificate to a certain > set of domains. I think the restriction needs to be along the lines > of *.gouv.fr.
This sounds like a reasonable pragmatic approach for a short-term solution to minimize impact on users of this CA while at the same time protecting all other users. The CA has all three trust bits. We definitely should remove the code signing trust bit. Will this restriction also apply for S-MIME? If so, I think we can keep the S-MIME one. I'm not so sure if this should also be the long-term solution: We require all CAs to "provide public attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the CA’s internal operations." I assume that this is supposed to be read as "competent independent (party or parties) with access to details of the CA’s internal operations" and not "(competent independent party) or (parties with access to details of the CA’s internal operations)", because the latter would not make any sense. I was unable to locate any (semi-current) audit documents for this CA by independent parties. The only thing I found - which is also linked from the CA spreadsheet - is this: <https://bug666771.bugzilla.mozilla.org/attachment.cgi?id=661038> - which seems to be a document by the director of the ANSSI, not an independent party. This requirement was already in place since v1.0 of the policy (November 2005). Also, the audit is from 2011 - how often do we require audits? If the CA doesn't have a current audit report from an *independent* party, I don't think we should keep it in the CA store in the long term in *any* form, not even constrained. > Based on the list that Rob provided, there may be other domains that we > might consider including. This would basically mean that Mozilla would be performing CA duties - checking dozens or hundreds of domain names and verifying if it is a good idea to let the CA manage those. I think this would be excessive. Kind regards, Jan -- Please avoid sending mails, use the group instead. If you really need to send me an e-mail, mention "FROM NG" in the subject line, otherwise my spam filter will delete your mail. Sorry for the inconvenience, thank the spammers... _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
