On 5/4/15 5:33 PM, Ryan Sleevi wrote:
On Fri, April 24, 2015 4:58 pm, [email protected] wrote:
Other than the concerns that have been raised about CRL and OCSP, are
there any further questions or comments about this request from LuxTrust
to include the "LuxTrust Global Root" root certificate, turn on the
Websites and Code Signing trust bits, and enable EV treatment?
Hi Kathleen,
I've completed a review of the LuxTrust Global Root CA certificate profile
[1], the Global Root CA CPS [2], and the LuxTrust SSL CA CPS [3].
Similar with Certinomis, I found nothing of serious concern, but do want
to higlight several issues that may be worth discussion or consideration.
I do think that the inclusion request should not proceed until the
modifications to the revocation system have been completed. It is also
somewhat concerning that this was not raised during audit, since it is
incorporated into the appropriate ETSI requirements that LuxTrust was
audited to.
Thanks to all of you who contributed to this discussion about the
request from LuxTrust to include the "LuxTrust Global Root" root
certificate, turn on the Websites and Code Signing trust bits, and
enable EV treatment.
I am now closing this discussion, and I will track the following three
action items in the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=944783
1) Resolve the concerns that were raised about CRL and OCSP.
Also resolve all errors listed here:
https://certificate.revocationcheck.com/www.trustme.lu
2) Stop issuing certs with SHA-1 based signatures, and certs with
"Netscape Cert Type" extension (especially in this CA hierarchy)
3) Update the CPS documents to respond to Ryan's comments.
After I have confirmed completion of these action items, I will start a
second round of discussion about this request.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
