On Wed, October 28, 2015 1:55 am, mycho...@gmail.com wrote: > > Dear Sleevi > > First of all, I appreciate your detailed opinios and suggestions > > In terms of option B (application to only be for that of your SSL/website > CA rather than your root CA) > All CAs in CA hierarchy (including Root CA) has to follow a government > law. So, it's not easy to adapt > option B in this case
Earlier, you said "Actually, e-Signature law doesn't mention of SSL directly", which seems to run counter to your statements here. It also does not appear to be strictly necessary for your SSL issuance to be rooted in the same CA hierarchy, which was somewhat the point of Option B. Put differently, you've indicated that local law does not govern the SSL issuance, and the only reason you're in this predicament is because you've chosen to transitively root your SSL issuance to a root that does follow local law. Further, you've indicated that the reason your CPS is non-conforming does not, seemingly, appear to be related to local law, but rather the policies of the Government-operated Root, for which there does not seem any technical necessity to root yourself in. As such, it's unclear why Option B is not viable. I can understand difficult, but I do want to separate out difficulty/complexity from legal necessity, as they have very different impacts with respect to how the program should be operated. > If Root CA provides a > mapping table between RFC3647 and current > CPS for more easy review whether current CPS comply with the contents of > RFC3647 or not, do you think is it acceptable? Personally, I do not think it should be acceptable, as this seems to be a result of taking shortcuts / not fully considering the program requirements for the recognition of your SSL CA, rather than an intrinsic legal quandary as you have presented. However, it's entirely possible I've misunderstood, so I appreciate the continued explanations to develop a shared understanding. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy